Fiat-Shamir via List-Recoverable Codes (or: Parallel Repetition of GMW is not Zero-Knowledge)

Justin Holmgren∗ Alex Lombardi† Ron D. Rothblum‡

March 6, 2021

Abstract Shortly after the introduction of zero-knowledge proofs, Goldreich, Micali and Wigderson (CRYPTO ’86) demonstrated their wide applicability by constructing zero-knowledge proofs for the NP-complete problem of graph 3-coloring. A long-standing open question has been whether parallel repetition of their protocol preserves zero knowledge. In this work, we answer this question in the negative, assuming a standard cryptographic assumption (i.e., the hardness of learning with errors (LWE)). Leveraging a connection observed by Dwork, Naor, Reingold, and Stockmeyer (FOCS ’99), our negative result is obtained by making positive progress on a related fundamental problem in cryptography: securely instantiating the Fiat-Shamir heuristic for eliminating interaction in public-coin interactive protocols. A recent line of works has shown how to instantiate the heuristic securely, albeit only for a limited class of protocols. Our main result shows how to instantiate Fiat-Shamir for parallel repetitions of much more general interactive proofs. In particular, we construct hash functions that, assuming LWE, securely realize the Fiat-Shamir transform for the following rich classes of protocols: 1. The parallel repetition of any “commit-and-open” protocol (such as the GMW protocol mentioned above), when a specific (natural) commitment scheme is used. Commit-and- open protocols are a ubiquitous paradigm for constructing general purpose public-coin zero knowledge proofs. 2. The parallel repetition of any base protocol that (1) satisfies a stronger notion of sound- ness called round-by-round soundness, and (2) has an efficient procedure, using a suitable trapdoor, for recognizing “bad verifier randomness” that would allow the prover to cheat. Our results are obtained by establishing a new connection between the Fiat-Shamir trans- form and list-recoverable codes. In contrast to the usual focus in coding theory, we focus on a parameter regime in which the input lists are extremely large, but the rate can be small. We give a (probabilistic) construction based on Parvaresh-Vardy codes (FOCS ’05) that suffices for our applications.

∗NTT Research. Email: [email protected]. †MIT. Email: [email protected]. Research conducted in part while the author was an intern at NTT Research. Research supported in part by an NDSEG fellowship. Research supported in part by NSF Grants CNS-1350619 and CNS-1414119, and by the Defense Advanced Research Projects Agency (DARPA) and the U.S. Army Research Office under contracts W911NF-15-C-0226 and W911NF-15-C-0236. ‡Technion. Email: [email protected]. Supported in part by a Milgrom family grant, by the Israeli Science Foundation (Grants No. 1262/18 and 2137/19), and grants from the Technion Hiroshi Fujiwara cyber security research center and Israel cyber directorate. Contents

1 Introduction 1 1.1 Securely Instantiating Fiat-Shamir...... 2 1.2 Technical Overview...... 6 1.3 Reflections: Fiat-Shamir via Coding Theory...... 13 1.4 Related Work...... 14 1.4.1 Correlation Intractability and Fiat-Shamir...... 14 1.4.2 List-Recoverable Codes and Cryptography...... 16

2 Preliminaries 17 2.1 Interactive Proofs and Zero-Knowledge...... 17 2.2 Cryptographic Primitives and Assumptions...... 18 2.3 Correlation-Intractable Hash Functions...... 19 2.4 The Fiat-Shamir Transform...... 20 2.5 Error Correcting Codes and List Recovery...... 21 2.6 Concentration Inequalities...... 22

3 Derandomization for Correlation Intractability 22 3.1 Correlation Intractability via List Recovery...... 22 3.2 Handling Large Alphabets via Subsampling...... 24

4 Basic List Recovery Bounds 25

5 Fiat-Shamir for Commit-And-Open Protocols 28 5.1 Correlation Intractability for Efficiently Verifiable Product Relations...... 28 5.2 Fiat-Shamir for Trapdoor 3-Message Protocols...... 30 5.3 Commit and Open Protocols...... 32 5.4 Zero Knowledge is Not Preserved by Parallel Repetition...... 33

6 Fiat-Shamir for Round-By-Round Sound Protocols 33 6.1 CI for Efficiently Verifiable Approximate Product Relations...... 34 6.2 Applications to Fiat-Shamir for Round-by-Round Sound Protocols...... 36 6.2.1 Notions of Bad Challenge Efficient Decidability...... 38 6.2.2 Putting Everything Together...... 39 1 Introduction

Zero-knowledge proofs, introduced by Goldwasser, Micali and Rackoff [GMR85], are a beauti- fully paradoxical construct. Such proofs allow a prover to convince a verifier that an assertion is true without revealing anything beyond that to the verifier. Soon after the introduction of zero- knowledge proofs, Goldreich, Micali and Wigderson [GMW86] constructed a zero-knowledge proof system (henceforth referred to as the GMW protocol) for the 3-coloring problem. This result is a cornerstone in the development of zero-knowledge proofs, since 3-coloring is NP-complete, and so the GMW protocol actually yields zero-knowledge proofs for any problem in NP. Roughly speaking, the idea underlying the GMW protocol is for the prover to commit (via a cryptographic commitment scheme) to a random 3-coloring of the graph. The verifier chooses a random edge and the prover decommits to the colors of the two endpoints. Intuitively, the protocol is zero-knowledge since the verifier (even if acting maliciously) knows what to expect: two random different colors. An important point however is that this base protocol has poor soundness. For example, suppose that the input graph G = (V,E) is not 3-colorable, but has a coloring that miscolors only one edge. In such a case, the verifier’s probability of detecting the monochromatic edge is only 1/|E|. Thankfully, the soundness of the GMW protocol (or any other interactive proof) can be amplified by repetition. That is, in order to reduce the soundness error, one can repeat the base GMW protocol multiple times, either sequentially or in parallel, using independent coin tosses in each repetition (for both parties). At the end of the interaction the verifier accepts if and only if the base verifier accepted in all of the repetitions. Repetition indeed reduces the soundness error, but does it preserve zero-knowledge? While it is relatively straightforward to argue that sequential repetition indeed preserves zero-knowledge [GO94], this yields a protocol with a prohibitively large number of rounds. Thus, a major question in the field is whether parallel repetition also preserves zero-knowledge.1 Curiously, it has long been known that parallel repetition does not preserve zero-knowledge for some (contrived) protocols [GK96]. However, for “naturally occurring” protocols, the question remained open for decades. A sequence of recent works [KRR17,CCRR18,HL18,CCH +18] showed that zero-knowledge is not preserved by repetition in very high generality (in fact, general 3- message zero-knowledge proofs can be ruled out [FGJ18]), but these works relied on extremely strong, non-falsifiable, and/or poorly understood cryptographic assumptions. The first progress on this question based on standard assumptions was due to Canetti et al. [CCH+19] and Peikert and Shiehian [PS19], who showed that some classical ZK protocols [GMR85, Blu86] fail to remain ZK under parallel repetition. However, their results conspicuously fail to capture the GMW protocol (and indeed fail to capture “most” protocols). Thus, an answer to the following basic question has remained elusive for over 30 years [DNRS99, BLV03]:

Does parallel repetition of the GMW protocol preserve zero-knowledge (under standard cryptographic assumptions)?

As one of our main results, we answer this question in the negative, assuming the hardness of learning with errors (LWE)[Reg03].

1In particular, a positive resolution of this question would yield 3-message zero-knowledge proofs for all of NP (as- suming also non-interactive commitments), thereby settling the long-standing open problem of the round complexity of zero-knowledge proofs.

1 Theorem 1.1 (Informally Stated, see Theorem 5.13). Assume that LWE holds. Then, there exists a commitment scheme C (in the common random string model) and a polynomial t such that t-fold parallel repetition of the GMW protocol (using C as its commitment scheme) is not zero-knowledge. We briefly make two remarks on Theorem 1.1:

• The commitment scheme C used in order to prove Theorem 1.1 is a natural one.2 The common random string consists of a public-key of an encryption scheme (which if using a suitable encryption scheme can simply be a uniformly random string). One commits by simply encrypting messages and decommits by revealing the randomness used in the encryption. Still, we point out that Theorem 1.1 leaves open the possibility that parallel repetition of GMW is zero-knowledge when instantiated with a specially tailored commitment scheme.

• The number of repetitions t for which we can show that the t-fold parallel repetition of GMW has negl(λ) soundness error, but is not zero knowledge, is |E(G)| · λ, where |E(G)| denotes the number of edges in the graph and λ is a security parameter. However, we still leave open a (very) small window of possible values for t so that the t-fold repetition of GMW is both sound and zero-knowledge (see Remark 5.14 for further discussion). The number of repetitions t for which we can show that the t-fold parallel repetition of GMW has negl(n) soundness error, but is not zero knowledge, is |E(G)| · n for any  > 0, where |E(G)| denotes the number of edges in the graph. Under the subexponential LWE assumption, the n factor can be reduced to logc n for some c > 1. This still leaves open a (very) small window of possible values for t so that the t-fold repetition of GMW is both sound and zero-knowledge (see Remark 5.14 for further discussion).

We prove Theorem 1.1 through a more general result showing that parallel repetition does not preserve zero-knowledge for a large class of protocols. This class includes all general-purpose public-coin3 zero-knowledge proofs for NP that we are aware of (when instantiated with a specific commitment scheme). In particular, this includes protocols based on the influential MPC-in-the- head paradigm [IKOS07] and more generally based on zero-knowledge PCPs (see, e.g., a recent survey [Ish20]). All of the above negative results are shown by making positive progress on the closely related question of soundly instantiating the prolific Fiat-Shamir heuristic, which is our main focus, and is discussed next.

1.1 Securely Instantiating Fiat-Shamir The Fiat-Shamir heuristic [FS86] is a generic technique for eliminating interaction in public-coin interactive proofs.4 This technique has been extremely influential both in practice and in theory. Consider for example a 3-message public-coin interactive proof that x ∈ L. In such a protocol first the prover sends a message α, the verifier responds with random coins β and finally the prover sends the last message γ. The basic idea underlying the Fiat-Shamir heuristic is to replace the

2In fact, this instantiation dates back to the original [GMW86] paper. 3Recall that an interactive proof is public-coin if all the verifier does throughout the interaction is simply toss random coins and immediately reveal them to the prover. 4The original goal in [FS86] was to efficiently compile (interactive) identification schemes into signature schemes, but the technique is applicable to more general protocols.

2 random coin tosses β of the verifier by applying a hash function to the the transcript thus far, i.e., by setting β = h(x, α). Since the prover can now compute the verifier’s coin tosses, the entire interaction consists of having the prover send the message (α, β, γ) in one shot. It has been long known that the Fiat-Shamir heuristic is sound when the hash function is modeled as a random oracle [BR94, PS96, BCS16]. In reality however, we need to realize the hash function with a concrete cryptographic hash function. Following [CCH+19], we say that a hash function family H is FS-compatible5 with a (public-coin) interactive protocol Π, if applying the Fiat-Shamir transform to Π, with a random choice of h ∈ H, yields a computationally sound argument system. A central problem in cryptography is to construct FS-compatible hash functions for a variety of interactive protocols of interest, thereby making them non-interactive. While designing FS-compatible hash function families is an extremely important goal in its own right, Dwork, Naor, Reingold, and Stockmeyer [DNRS99] also showed that the existence of an FS- compatible hash function family for a (public-coin) interactive proof Π for a language L/∈ BPP, is equivalent to Π not being zero-knowledge.6 This means, in particular, that in order to prove Theorem 1.1, it suffices to construct an FS-compatible hash function for the GMW protocol. For a long time almost all results on instantiating Fiat-Shamir were negative [CGH98, Bar01, GK03,BDG +13]. However, a recent line of work [KRR17,CCRR18,HL18,CCH +19,PS19,BKM20, LV20a,JKKZ20] has made substantial positive progress, culminating in secure realizations of Fiat- Shamir in certain (important) cases, based on standard cryptographic assumptions. In particular, a combination of the results of [CCH+19, PS19] implies the existence of hash functions, based on LWE, that are FS-compatible for a certain class of interactive proofs. More specifically (and restricting our attention to three message protocols), this class contains interactive proofs, in the CRS model, in which for every x∈ / L and first prover message α, the number of random coins β that could lead the verifier to accept is polynomially bounded, and moreover, there is an efficient algorithm that finds these “bad” β’s (given x, α and possibly a trapdoor associated with the CRS). Fortunately, a natural variant of Blum’s [Blu86] zero-knowledge protocol for Hamiltonicity has the above property. This is due to the fact that Blum’s protocol is obtained by applying parallel repetition to a base protocol which has only a single choice of bad randomness. Since 1t = 1, the number of bad random choices when the base protocol is repeated is still 1 (and this unique bad randomness can be efficiently found). Since Hamiltonicity is NP-complete, the works of [CCH+19, PS19] yielded non-interactive zero-knowledge7 proof-systems for all of NP. While the base GMW protocol has a polynomial number of bad random strings (after all, even the total number of verifier random strings is polynomial), in contrast to Blum’s protocol, when the protocol is repeated, this number becomes exponential. This means that the approach of [CCH+19,PS19] no longer applies. A similar problem occurs for the parallel repetition of any base protocol with more than a single bad random choice for the verifier, which is extremely common. We emphasize that the interest in these additional zero-knowledge protocols is not purely theo-

5We remark that the term “FS-compatible” has a different meaning in a recent work of [JKKZ20]. More specifically, [JKKZ20] defines “FS-compatibilty” to be a property of a protocol Π; their property consists of technical conditions that suffice for their specific hash family to instantiate FS for Π. 6Roughly speaking, [DNRS99] consider a malicious verifier that answers according to the Fiat-Shamir hash func- tion. They show that a successful simulation of such a verifier can be used to decide the language. 7In contrast to the discussion in the beginning of the introduction, in the context of applying Fiat-Shamir positively in order to construct non-interactive zero-knowledge proofs, it suffices that the base interactive proof be honest-verifier zero-knowledge. Honest-verifier is indeed known to be preserved under parallel repetition.

3 retical. In particular, some of the most efficient zero-knowledge proof-systems, such as those based on the MPC-in-the-head paradigm, also do not have a polynomial set of bad randomnesses and consequently the techniques of [CCH+19, PS19] are not applicable to them.

Fiat-Shamir for Commit-and-Open Protocols. Our second main result shows how to se- curely realize the Fiat-Shamir transformation when applied to a much broader class of interactive proofs than what was known before (including the GMW protocol). More specifically, this class con- sists of the “parallel repetition of any commit-and-open protocol”. By a commit-and-open protocol, we basically refer to protocols that have the following structure:

1. P commits to a string w. 2. V samples random coins r and sends them to P . These random coins, together with the main input x, specify a subset S of indices of w.

3. P decommits to wS and V accepts or rejects based on some predicate V (x, r, wS).

Note that the GMW protocol indeed fits into this framework: w is a (random) 3-coloring of the graph, the set S specifies a random edge and V simply checks that the edge is properly colored. Theorem 1.2 (Informally Stated, see Theorem 5.12). Assume that LWE holds. Then, there exists a commitment scheme C (in the CRS model), such that for every commit-and-open protocol ΠC there exists a polynomial t and a hash function family H, such that the hash family H is FS-compatible t with the t-fold parallel repetition (ΠC ) of ΠC . By the connection established by [DNRS99], Theorem 1.1 follows immediately from Theo- rem 1.2. Remark 1.3. An important example of a commit-and-open protocol is Kilian’s [Kil92] celebrated succinct argument-system, as well as its generalizations based on interactive oracle proofs [BCS16]. However, we point out that Theorem 1.2 is not applicable to this protocol since Kilian relies on a particular succinct commitment scheme (based on Merkle hashing), whereas the commitment scheme C that we use is inherently non-succinct. Indeed, the question of securely applying Fiat-Shamir to Kilian’s protocol (as envisioned by Micali [Mic93]), remains a fundamental open problem (see also [GW11, BBH+19]). Because it applies to parallel repetitions of all commit-and-open protocols (rather than just those with a single bad challenge), Theorem 1.2 substantially generalizes the class of protocols that have sound Fiat-Shamir instantiations in the standard model. We believe that Theorem 1.2 (and the techniques underlying its proof) are likely to lead to new feasibility results for non-interactive cryptographic protocols in the standard model.

Fiat-Shamir for Parallel Repetition of Multi-Round Protocols. We next turn to discuss our results for multi-round protocols. Let Π be a public-coin multi-round interactive proof system. As above, the application of Fiat-Shamir to such a protocol simply replaces the verifier’s random coin tosses in each round with a hash of the entire transcript up to that point. When considering protocols with a large number of rounds, some care must be taken. For example, if we take the sequential repetition of (say) the GMW protocol and try to apply Fiat- Shamir, it is not too difficult to see that the resulting non-interactive protocol is not sound regardless

4 of the Fiat-Shamir hash function (e.g., even if the hash function is modeled as a random oracle). The issue is that after the compilation, the cheating prover can effectively “rewind” the verifier to a previous state (see [BCS16] for more details). Thus, following [CCH+19], we restrict our attention to protocols satisfying a stronger soundness condition called round-by-round soundness. Loosely speaking, a protocol is round-by-round (RBR) sound, if soundness holds in each round individually. In more detail, RBR soundness dictates the existence of a predicate State (which need not be efficiently computable) mapping partial transcripts to the set {accept, reject} such that:

1. If x∈ / L then the State of the empty transcript is rejecting.

2. Given a rejecting partial transcript τ and any prover message α, with all but negligible probability over the verifier’s next coin tosses β, the partial transcript (τ|α|β) is also rejecting (where ‘|’ denotes concatenation).

3. The verifier always rejects full rejecting transcripts.

Note that round-by-round soundness implies standard soundness: the protocol starts off in a reject- ing state and, with high probability, will remain so until the very end in which case the verifier is required to reject. Prototypical examples of protocols satisfying round-by-round soundness include the sumcheck protocol [LFKN90] and the related [GKR08] protocol (see [CCH+19, JKKZ20] for details). We say that a protocol with RBR soundness has efficiently recognizable bad randomness if given a rejecting partial transcript τ|α, ending with a prover message α, the set of verifier coins β that make (τ|α|β) turn into an accepting partial transcript is efficiently recognizable (potentially also given access to a trapdoor of a CRS, if such exists). The works [CCH+19, PS19] imply LWE-based FS-compatible hash functions for interactive proofs with negligible RBR soundness error in which the bad randomness is not just efficiently recognizable, but moreover the set is efficiently enumerable (i.e., the set of bad randomness is poly- nomially bounded and can be explicitly generated in polynomial time). We extend their result to protocols obtained by taking parallel repetition of an r-round base protocol with RBR soundness error close to 1/r, and without any constraint on the number of choices of bad randomness.

Theorem 1.4 (Informally Stated, see Theorem 6.13). Let Π be a 2r + 1-message interactive proof 1− with round-by-round soundness error r with efficiently reconizeable bad randomness. Then, there exists a polynomial t = t(n, λ, ), and a hash family H, such that H is FS-compatible with Πt.

Remark 1.5. Theorem 1.2 actually follows from Theorem 1.4 since constant-round protocols with negligible soundness are automatically round-by-round sound, and the specific type of commitment scheme makes the bad randomnesses efficiently computable. However, we set apart these two results for two reasons. First, the proof of Theorem 1.2 is simpler than that of Theorem 1.4 and suffices for many protcols of interest. Second, we are unable to achieve a tight result with respect to the number of repetitions in Theorem 1.4 as we did for Theorem 1.2.

Finally, we note that Theorem 1.4 can be combined with the main insight of [JKKZ20] (which is orthogonal to our work) to further generalize the class of protocols Π that have sound Fiat- Shamir instantiations. Informally, the [JKKZ20] technique of lossy correlation intractability allows

5 us to additionally handle protocols where bad challenges for the i-th round can only be efficiently recognized given non-uniform advice about the previous rounds’ challenges. For example, this allows us to instantiate Fiat-Shamir for parallel repetitions of the [GKR08] protocol, even when the field size of the base protocol is poly-logarithmic. In contrast, [JKKZ20] can only handle variants of [GKR08] with an exponential field size.8

1.2 Technical Overview We now describe our techniques for proving Theorem 1.2, with a particular focus on the GMW protocol for ease of understanding. Our starting point is the work of [CCH+19], which gave the first instantiation of Fiat-Shamir in the standard model based on standard cryptographic assump- tions. As in prior work [KRR17,CCRR18,HL18], their Fiat-Shamir instantiation makes use of the framework of correlation intractability [CGH98], which we recall here.9 A hash family H is said to be (single input) correlation-intractable for a binary relation R if it is computationally hard, given a hash key h ← H, to find a “correlation”, i.e., an input x such that x, h(x)
∈ R. Such a security property is plausibly instantiable, and is satisfied by a random oracle, whenever the relation R is sparse, meaning that for any input x, the fraction of outputs y for which (x, y) ∈ R is negligible. Despite this plausibility argument, and despite the intriguing connection to Fiat-Shamir in the standard model (which we will see in a moment), there were essentially no instantiations of correlation intractability (beyond very simple relations such as those for which (x, y) ∈ R if and only if y = c for a constant c) before 2016. However, a flurry of recent works (includ- ing [CCR16, KRR17, CCRR18, HL18, CCH+19, PS19, LVW19, BFJ+20, GJJM20, LNPT19, BKM20, LV20a, JKKZ20, LNPY20, LV20b]) have (1) instantiated various flavors of correlation-intractable hash functions based on plausible cryptographic assumptions and (2) applied these hash functions to achieve independently useful cryptographic goals. We discuss this line of work in detail in Section 1.4, but for now, we recall the following result from [PS19], which is most relevant for our purposes. It is a construction of correlation intractability for functions: we say that H is CI for a function f if it is CI for the relation Rf = {(x, f(x))}. Theorem 1.6 ([PS19], informal). Under the LWE assumption, there exists a hash family H that is correlation intractable for all functions that are computable in (a priori bounded) polynomial time.

As described in the theorem statement, Theorem 1.6 has the following two limitations (which are also present in the predecessor work [CCH+19]10).

• They only achieve security for relations R ⊆ X × Y that represent functions. That is, for every x ∈ X there is (at most) a single y ∈ Y such that (x, y) ∈ R.

• They require that the functions are efficiently computable.

8 [JKKZ20] use a large field in order to avoid parallel repetition. For example, this precludes applications in which one needs to materialize entire truth tables of polynomials over the field. 9In fact, [DNRS99] cites personal communication with Chaum and Impagliazzo for an early variant of this con- nection. Full formalizations of this paradigm appear in [CCRR18, CCH+19]. 10More specifically, this limitation is present in the subset of results in [CCH+19] that are based on quantitatively standard cryptographic assumptions

6 Both of these drawbacks turn out to be relevant for Fiat-Shamir instantiations. To see this, we first discuss how CI relates to the instantiation of Fiat-Shamir for interactive proofs. For simplicity, we focus on the task of compiling 3-message public coin interactive proofs. Such protocols have the following syntax.

P (x, w) V (x) α

β

γ If V (x, α, β, γ) = 1, accept.

Figure 1: A 3-message public coin interactive proof Π.

After applying the Fiat-Shamir transform using hash family H, we obtain the protocol ΠFS,H below.

PFS(x, w; h) VFS(x; h) α, β := h(α), γ If β = h(α) and V (x, α, β, γ) = 1, accept.

Figure 2: The Protocol ΠFS,H.

(0) (0) In this situation, consider the following relation R = Rx,Π for a false statement x, which we call the (naive) bad-challenge relation for Π:

(0) Rx,Π = {(α, β): ∃γ s.t. V (x, α, β, γ) = 1}. (0) It follows almost syntactically that if H is CI for Rx,Π (for all false statements x), then H soundly instantiates Fiat-Shamir for Π. Thus, the problem of instantiating Fiat-Shamir is reduced to constructing sufficiently general-purpose correlation intractable hash functions. Bearing in mind the two drawbacks of Theorem 1.6, it is worth noting that Rx,Π is (in general) not even a function, let alone an efficiently computable one.

Fiat-Shamir for GMW. With the above background in mind, we turn to the task at hand: finding a Fiat-Shamir instantiation for the parallel repeated GMW protocol. Abstractly, a t-wise parallel repetition of a protocol Π has the following syntax.

P (x, w) V (x)

α1, . . . , αt

β1, . . . , βt ← [q]

γ1, . . . , γt If V (x, αi, βi, γi) = 1 for all i, accept.

Figure 3: A parallel-repeated protocol Πt.

7 In the case of GMW, the input x is a graph G = (V,E), the witness w is a 3-coloring of G, the messages αi are commitments to (a random shuffling of the colors of) w, each βi = (ui, vi) ∈ 11 E(G) specifies a randomly selected edge, and the γi are decommitments (zi, ri) to the colors zi = (w(ui), w(vi)). The verification procedure checks that the decommitments are all valid and that each (revealed) colored edge is not monochromatic. Note that the “alphabet size” q denotes the size of the the verifier’s challenge space, which in this case is q = |E|.12 (0) (0) Recall that by Theorem 1.6, we would be done if (1) the relation R = Rx,Πt above represented a function f, and (2) the function f were efficiently computable. As a first step, we show (following [HL18, CCH+19]) how to replace the relation R(0) with a relation R that is efficiently verifiable, i.e., there is an efficient algorithm that recognizes bad challenges. In a nutshell, the “commit-and-open” structure of the GMW protocol allows us to replace the (0) “naive bad-challenge relation” Rx,Πt with the relation

n
o Rx,Πt := (α1, . . . , αt), (β1, . . . , βt) : each zi := Extract(αi[βi]) has two distinct colors , where Extract denotes a function that extracts a committed bit b from a commitment com. In other words, the relation Rx,Π(α, β) can be verified by extracting from α[β] the appropriate committed string z and then checking whether the two colors defined by z are distinct. If the commitment scheme is efficiently extractable (given a trapdoor; e.g., this holds if Com is the encryption algorithm of a public-key encryption scheme), then Rx,Πt can be efficiently verified. Thus, to instantiate Fiat- Shamir for this (natural) instantiation of the GMW protocol, it suffices to construct a hash family H that is CI for this particular (efficiently verifiable) relation Rx,Πt .

The Problem: Too Many Bad Challenges. The main barrier to instantiating Fiat-Shamir for GMW is due to the first drawback of the [CCH+19, PS19] results, namely, that R is not a function. We quantify the extent to which R is not a function with the following terminology.

Definition 1.7 (d-Bounded Relation). We say that a relation R ⊆ {0, 1}n × {0, 1}m is d = d(n)- bounded if |R(x)| ≤ d, for all x ∈ {0, 1}n, where R(x) = {y ∈ {0, 1}m :(x, y) ∈ R}.

We focus on absolute rather than relative boundedness (aka density) due to the limitations of prior work on instantiating correlation intractability. In particular, the CI hash families of [CCH+19, PS19] were shown to satisfy correlation intractability for (efficiently computable) func- tions, i.e., 1-bounded relations. In prior work [CCH+19, JKKZ20], CI for relations that are not functions was only achieved in a very limited sense: for d-bounded relations R, it is noted that a 1 hash family H that is CI for efficiently computable functions with d quantitative security is also CI for d-bounded relations that are “efficiently enumerable”.13 This is proved via a trivial “guessing” 1 reduction from CI for functions with a security loss of d . In prior works, only polynomial (or slightly superpolynomial) values of d were considered for this reason.

11A decommitment (m, r) of a string com is a message m and choice of commitment randomness r such that com = Com(m; r). 12Our results in this overview may appear to require that q is polynomial in n, but we show in Section 3.2 how to reduce from general q to polynomial-size q via subsampling. This allows us to handle Fiat-Shamir for parallel repetitions of arbitrary commit-and-open protocols. 13A d-bounded relation R is efficiently enumerable if there is an efficient algorithm that, on input x, explicitly generates the set of all y such that (x, y) ∈ R.

8 However, in the case of parallel repeated GMW, the relation R = Rx,Πt may be only (|E(G)| − t t 1) -bounded. In other words, for every α = (α1, . . . , αt), there may be (|E(G)| − 1) challenges β such that (α, β) ∈ Rx,Πt . As a result, the “guessing reduction” above incurs a security loss that is exponential in the security parameter, resulting in a useless reduction. Achieving CI for d-bounded relations for large values of d – and instantiating Fiat-Shamir for protocols with many bad challenges – was an unsolved problem.

Main Idea: Derandomization. Our high-level idea for resolving this problem is using deran- domization to reduce the effective d-boundedness of the relation R. Namely, we employ a two-step process.

1. Devise a randomness-efficient procedure for sampling challenges (β1, . . . , βt) ← Samp(r) such that only polynomially many bad choices of r lead to bad challenges (for any given pair (x, α)). Note that we need to do so while maintaining negligible soundness error. That is, we want the set of bad challenges to have absolute size that is polynomial, while its relative size (or density) is negligible.

2. Compose the sampling procedure with a hash family Hinner that is CI for polynomially- bounded relations. In particular, Hinner must satisfy CI for a new relation R˜ := R˜x,Π,Samp that depends on the procedure Samp as well as Π.

This process yields a correlation-intractable hash family for R by a natural composition. Namely, our hash family will consist of hash functions h0 defined as

h0(x) = Samp(h(x)) where h ← Hinner comes from a previously constructed CI hash family (namely, the families from [CCH+19, PS19]). Another interpretation of our approach is that we instantiate Fiat-Shamir for a (parallel re- peated) protocol Πt by implicitly working with a derandomized parallel repetition14 of Π. Still, several crucial details remain unclear from this outline:

• How should we instantiate the sampling procedure Samp?

• How do we prove that the resulting hash family H0 is FS-compatible for Πt?

Indeed, standard derandomization techniques such as expander walks and pseudorandom gen- erators turn out not to suffice for our application, as we elaborate below. Instead, we need a new derandomization technique: our main technical contribution is a special-purpose instantiation of Samp and proof of security for H0.

14The type of derandomization that we require is related to, but different from, the “sampler-based” [Gol11,Vad12] derandomized parallel repetition of Bellare, Goldreich and Goldwasser [BGG90]. The exact approach of [BGG90] does not work for us for reasons similar to the “naive” PRG approach below.

9 Naive Idea: Use a PRG. As a first (flawed) attempt to solve our problem, one might consider setting Samp(r) = G(r) for some pseudorandom generator G (either cryptographic [BM82] or “Nisan-Wigderson style” [NW88,IW97,AK97]; indeed, the PRG would only have to fool a specific test related to Π). We briefly describe why this approach fails:

• The new relation R˜ is still not bounded enough. To understand this point, we need to specify what tests the PRG G has to fool. By staring at the problem, we see that G should have the property that for every statement x and first messages α1, . . . , αt, the probability that G(r) = (β1, . . . , βt) has the property that (α, G(r)) ∈ Rx,Π is close to the sparsity of R. Unfortunately, known PRG constructions still have the property that the absolute number of such “bad r” is exponential in the seed length,15 while we need this number to be polynomial in the seed length.

• The new relation R˜ is not efficiently enumerable. On top of parameter issues, the relation R˜ constructed in step (2) above seems hard to compute, because it syntactically requires computing preimages (of exponential-size sets!) under the map G. Indeed, the relation R˜ has the form:

˜  Rx,Π,G = (α, r):(α, G(r)) ∈ Rx,Πt , −1 so the set of all r such that (α, r) ∈ R˜x is G ({β :(α, β) ∈ Rx}). Since R˜ does not seem to be efficiently enumerable, we do not know how to construct a CI hash family for it.

Our Code-Based Derandomization. Since the naive idea of using a PRG for derandomization fails, we now study our special-purpose derandomization problem in more detail. In particular, we crucially take advantage of the parallel repetition structure of the relation Rx,Πt to reframe the problem. As above, our plan is to use some function Samp(r) → (β1, . . . , βt) along with a hash family H that is correlation intractable for the relation R˜, which can be expressed as

˜ n o Rx,Πt,Samp = (α, r):(αi, Samp(r)i) ∈ Rx,Π for all i .

Moreover, for each fixed pair (x, αi), we know that the collection Si of all βi such that (αi, βi) ∈ Rx,Π is not too large: if the protocol Π has soundness error 1 −  (meaning that cheating provers are 1 caught with probability ; in the case of GMW, we have  = |E(G)| ), then |Si| ≤ (1 − )q for all i (recall that q denotes the verifier’s challenge space in the base protocol). More abstractly, we are interested in relations of the form

˜ n o Rx,Πt,Samp = (α, r): Samp(r)i ∈ Si for all i , where:

• Each set Si ⊆ [q] is promised to have some bounded size |Si| ≤ (1 − )q,

15This boils down to the suboptimal -dependence of the seed length of known PRGs that are -pseudorandom. In order for the number of “bad r” to be polynomial, we would need a PRG with seed length O(log m) + log(1/) – that is, we cannot afford any constant c > 1 in front of the log(1/) term).

10 • Each set Si can be efficiently computed from (x, α). (This property is guaranteed by the efficient verifiability of R).

Since our hope is to use H from [CCH+19, PS19] – which is only CI for efficiently enumerable relations – we have two strong demands of the procedure (β1, . . . , βt) ← Samp(r):

• For all x and all α, the number of r such that Samp(r) ∈ S1 × ... × St should be polynomial in the length of r.

• Moreover, the (polynomial-size) set of all such r should be be efficiently computable given (x, α) (or, essentially equivalently, the sets S1,...St).

Almost miraculously, if we think of our sampler Samp as the encoding procedure Encode of an error-correcting code, this set of requirements exactly corresponds to an important notion in coding theory: (errorless) list recovery [GI01]! We now (informally) recall the definition of an (error-free) list-recoverable code. Let Encode : {0, 1}λ → [q]t denote an efficient encoding procedure. We say that (Encode, Recover) is a (`, L)-list recoverable code if

λ • For all sets (called input lists) S1,...,St of size at most `, the number of messages m ∈ {0, 1} such that Encode(m) ∈ S1 × ... × St is at most L, and

• The algorithm Recover(S1,...,St), given descriptions of the input lists S1,...,St, efficiently returns the ≤ L corresponding messages (called the output list).

List-recoverable codes were introduced by [GI01] as a tool for constructing more efficient list- decodable codes. For our application, we define Samp(r) := Encode(r) ∈ [q]t, so that

• The alphabet q of the code is exactly the challenge space for the base protocol Π.

• The block-length t of the code is the number of repetitions of the protocol Π,

• The input list size ` = (1 − )q corresponds to the boundedness of the relation RΠ, and • The output list size L is a bound on the number of seeds r that are mapped to bad challenges, and so should be some polynomial in the security parameter λ.16

We emphasize that the parameter regime we are interested in is qualitatively different than is typical in coding theory. In the coding theory literature (see [HW15, Figure 1] as well as [RW18] for examples), the input list size ` is typically very small17 compared to the alphabet size q, while the parameters they want to optimize are the block-length t (ideally t = O(λ)), as well as the output list size L (which is important for efficient decoding when the list-recoverable code is used as a component in a larger construction). On the other hand, our setting has a very large value of ` (potentially as high as (1 − )q); we then want to optimize for the block-length t, which is ideally not much larger than 1/, but

16The dependence is actually allowed to be poly(λ, q, 1/) 17 q For example, degree k Reed-Solomon codes over Fq can handle ` ≤ k , while known higher rate constructions can only tolerate much smaller values of `.

11 multiplicative factors of poly(λ) do not really bother us (in particular, the code can have rate o(1)). Meanwhile, the output list size L is not too important for us (as long as it is polynomial), but it is crucial that list-recovery is computationally efficient (rather than information-theoretic), which differs from many prior works. As described above, there is a tight connection between list-recoverable codes and correlation- intractable hash families through the construction h0(x) = Encode(h(x)):

Theorem 1.8 (Informally stated, see Theorem 3.7). Suppose that

•H is a hash family that is CI for efficient functions,

• R = Rx,Π is an efficiently verifiable relation with output space [q] and sparsity 1 − , and • (Encode, Recover) is a ((1 − )q, L)-list recoverable code mapping {0, 1}λ → [q]t.

0 Then, the hash family defined by h (x) = Encode(h(x)) is CI for the relation Rx,Πt , and is therefore FS-compatible with the protocol Πt.

In Section 3.1, we rephrase Theorem 1.8 fully in the language of correlation intractability (without reference to any protocol Π) by defining a natural notion of “product relation”. We then show that list-recoverable codes can be used to generically construct CI for product relations from CI for functions. Then, in Sections5 and6, we show how this form of CI allows us to prove our general FS results: Theorem 1.2 and Theorem 1.4. For the generalization to many-round protocols, we in fact make use of error-tolerant (rather than error-free) list-recoverable codes.

Final Step: Constructing the Codes. However, an important question remains: do there actually exist codes satisfying all of the properties that we need? To summarize (for the case of 3-message protocols), we want the following conditions to hold for a code defined by Encode : {0, 1}λ → [q]t.

1. The code should be (`, L)-list recoverable for ` = (1 − )q and L = poly(q/).

2. Both encoding and list recovery should be computationally efficient rather than information- theoretic.

3. Subject to (1) and (2), the block-length t should be as small as possible.

Conditions (1) and (2) are necessary to obtain any valid Fiat-Shamir instantiation for some sufficiently large number of (parallel) repetitions of a protocol Π, while condition (3) seeks to minimize the number of repetitions (hopefully to a number not much larger than what is required in the interactive setting). It is not difficult to argue that a random code f : {0, 1}λ → [q]t satisfies condition (1) with high probability, with t indeed on the order of 1/ (see Theorem 4.2); however, it (of course) does not satisfy condition (2). On the other hand, known list-recoverable codes with efficient list-recovery are only designed to handle small input list sizes. This includes algebraic codes [GS98,PV05,GR08], expander codes [SS94, HW15], and codes built by a combination of these tools [GI01, GI02, GI03, GI04]. As mentioned before, prior work did not primarily optimize for the input list sizes. In fact, aside from some of the works on algebraic codes, the parameter settings in prior work require

12 ` = qo(1);18 these prior works were instead mostly focused on achieving high rate and very efficient algorithmic encoding/recovery. In this work, we give a randomized construction of a code satisfying our demands via code concatenation [For66] combining an algebraic code with a random code (in a parameter regime where brute force decoding is polynomial-time). This is similar to the approach of [GI01] (although they use random “pseudolinear” codes rather than truly random codes for reasons of efficiency), but the parameters of our code concatenation (i.e. the relationship between the algebraic code’s parameters and the random code’s parameters) are quite different from [GI01]. Code concatenation is a technique based on the following simple idea: given two codes Cout,Cin such that alphabet symbols of Cout can be interpreted as messages for Cin, it is possible to encode a message m by first computing y = Encodeout(m) and then encoding each symbol yi using Cin. Code concatenation admits simple composition theorems for list-recovery, so the main question is whether there are parameter settings for Cout,Cin that meet our demands. It turns out that by setting the alphabet size q0 of the outer code to be polynomially larger than the alphabet size of the inner code (which is q), the concatenation Cout ◦ Cin can be shown to be list-recoverable for large input list sizes as long as the outer code is list-recoverable for moderately large input list sizes. Moreover, list-recovery is efficient even if the inner code must be list-recovered by brute force; this allows for the input list size for Cout ◦ Cin to be very large (as this parameter is inherited from Cin). In the end, our choice of Cout is a Parvaresh-Vardy code with carefully chosen parameters to optimize for the block-length t of the final construction: Theorem 1.9 (Informal, see Lemma 5.4). For all ` < q = poly(λ), there exists a probabilistically constructable family of codes n λ2· log(λ) o C : {0, 1}λ → [q] log(q/`) that is `, poly(λ)
-list recoverable with all but 2−λ probability. In particular, for ` = (1 − )q, we obtain block-length t = O˜(λ2/). We refer the reader to Sections4, 5.1 and 6.1 for more details.

1.3 Reflections: Fiat-Shamir via Coding Theory In summary, our main technique relates correlation intractability for relations to correlation in- tractability for functions in two high-level steps. 1. List Recoverable Codes. Given a protocol Π whose bad challenges are (approximate) t product sets S = S1×...St ⊆ [q] (such as those arising from parallel repetition), we construct a code C : {0, 1}λ → [q]t that avoids all such S: namely, every product set S contains only polynomially many codewords C(m).

2. Composition. We prove that such codes compose with a hash family H that is CI for functions to obtain a hash family C ◦ H that is CI for product relations. One can view this as a special case of a more general paradigm: given the results of [CCH+19, PS19], we can reduce the problem of instantiating Fiat-Shamir for any public-coin interactive proof

18An interesting concurrent and independent work [DW20] uses expander code-based techniques to construct a variant of list-recoverable codes with constant rate and ` = qΩ(1), but this is still far from the parameter regime that we care about.

13 to a coding-theoretic problem. For example, given a constant-round (or more generally, round-by- round sound) interactive proof Π for a language L, soundness guarantees that for every transcript prefix τ of Π on an input x∈ / L there is a sparse set Sτ of “bad” verifier messages. We would like λ to construct a code C : {0, 1} → [q] such that C “evades” Sτ in the sense that there are at most polynomially many messages m for which C(m) ∈ Sτ , and furthermore there is a polynomial-time algorithm that enumerates all such m. Given such a code C, the composition of the [PS19] hash function with C instantiates Fiat-Shamir for Π (assuming LWE). For general interactive proofs, the sets Sτ may be extremely complex and decoding seems intractable. In our results above, we took advantage of the following structure of Π that makes decoding feasible:

• Π is a parallel repetition, which ensures that each set Sτ is a product set; • Moreover, the base protocol has efficiently recognizable bad challenges.

We were then able to leverage highly non-trivial existing algorithms [GS98, PV05] to solve the resulting coding problem. An interesting direction for future work is whether other forms of efficient decoding can be used to instantiate Fiat-Shamir for other natural protocols.

1.4 Related Work 1.4.1 Correlation Intractability and Fiat-Shamir. We survey the recent constructions of correlation intractable (CI) hash families [CCR16, KRR17, CCRR18,HL18,CCH+19,PS19,BKM20] for comparison with our work. These constructions roughly fall into two categories:

CI for Large Classes of Relations based on Non-Standard Assumptions. The initial works [CCR16,KRR17,CCRR18,HL18,CCH +18] constructed hash families that achieve correlation intractability for very broad classes of relations, but they can only prove security based on strong and non-standard cryptographic assumptions. In more detail,

• [CCR16] constructs a hash family that is CI for all efficiently verifiable relations (i.e., relations R such that it is efficiently decidable whether (x, y) ∈ R) assuming (sub-exponentially secure) indistinguishability obfuscation (iO) as well as input-hiding obfuscation for evasive circuits [BBC+14].

• [KRR17, CCRR18] construct hash families that are CI for all (even hard-to-decide) sparse relations. To do so, they make assumptions that are both extremely quantitatively strong and non-falsifiable [Nao03,GW11]. For example, [CCRR18] assumes the existence of an encryption scheme such that key-recovery attacks, given (even inefficiently generated) key-dependent- message (KDM) ciphertexts, cannot succeed with probability significantly better than random guessing. [KRR17] makes a simiar assumption, and additionally assumes (subexponentially secure) iO.

• [HL18] constructs a hash family that is CI for all “efficiently sampleable relations” (similar in spirit but technically incomparable to “efficiently verifiable relations” as in [CCR16]) assuming

14 (subexponentially secure) iO and optimally secure one-way functions—that is, a one-way function f with no inversion attacks that are significantly better than random guessing. [CCH+19] (see [CCH+18]) also gives constructions of such a hash family under “optimally secure” variants of the learning with errors (LWE) assumption (without iO).

To summarize, these hash families achieve strong notions of CI (which suffice to instantiate Fiat-Shamir for broad classes of interactive proofs) at the cost of highly non-standard assumptions.

CI for Efficient Functions based on Standard Assumptions Beginning with the work of [CCH+19] (see [CLW18]), a sequence of works [CCH+19, PS19, BKM20] gave constructions of restricted forms of correlation intractability based on widely accepted assumptions. In more detail,

• [CCH+19, PS19] construct hash families that are CI for all efficiently computable functions, that is, for relations R such that (x, y) ∈ R ⇐⇒ y = f(x) for some efficiently computable function f.[CCH+19] constructs such a hash family under circular-secure fully homomorphic encryption, while [PS19] relies on the plain LWE assumption.

• [BKM20] constructs hash families that are CI for low-degree polynomial functions based on any one of various assumptions including LWE, the decisional Diffie-Hellman (DDH) assump- tion, and the Quadratic Residuosity (QR) assumption. In fact, their hash families are CI for relations R that are “efficiently approximable” by low-degree polynomials over F2, i.e., relations R such that (x, y) ∈ R ⇐⇒ y is close to p(x) in Hamming distance.

To summarize, these works construct hash families that are CI for (classes of) efficient functions (rather than relations), possibly up to some error tolerance on bits of the output.19 To emphasize even further, there are two main drawbacks to these CI constructions:

1. They only achieve security for relations R ⊆ X × Y that represent functions (possibly toler- ating some error).

2. They require that the functions (or, equivalently, the relations) are efficiently computable.

In the context of FS-compatibility, what this means is that prior work has successfully con- structed hash families that are FS-compatible with interactive proofs Π whose bad-challenge rela- 20 tions Rx,Π can be interpreted as efficient functions. The 3-message protocols whose bad-challenge relations are (possibly inefficient) functions are those satisfying “special soundness”: for every false statement x and every prover message α, there is at most one choice of challenge β such that an accepting proof of the form (α, β, γ) exists. Proof systems satisfying this notion include important protocols such as [GMR85, Blu86, FLS90], but a “typical” protocol Π will be extremely far from satisfying this notion. By a “random guessing” reduction, is it not hard to handle protocols Π that have only polynomially many bad challenges β for any fixed α, but again, this captures only a small class of protocols. Finally, we note that while drawback (2) has been circumvented to a small extent in later works [LV20a,JKKZ20], some form of efficiency requirement has been necessary for all bad-challenge

19Indeed, the constructions of [CCH+19, PS19] also support a kind of error tolerance, although this was irrelevant for their purposes. 20For 3-message protocols, these are abstracted as “trapdoor Σ-protocols” in [CCH+19].

15 functions of protocols Π with Fiat-Shamir instantiations under standard assumptions. As in prior work [CCH+19, PS19, BKM20], we instead work with protocols Π such that (a relaxation of) the relation Rx,Π can be efficiently verified given a trapdoor td. In the case of [GMW86], this is achieved by using a commitment scheme with a trapdoor that can extract committed bits (i.e., a public-key encryption scheme). One might wonder whether it is possible to directly show that the CI hash families of [CCH+19,

PS19] are also CI for relations such as Rx,ΠGMW . The intuitive reason this appears to be hard is as follows: to show that the [CCH+19,PS19] hash families H are CI for a function f, they show that a hash function h ← H is computationally indistinguishable from a hash function (distribution) hf that on input x internally (1) computes f(x) and then (2) outputs a value y that specifically avoids f(x). It is possible to extend this proof to make H “avoid” a polynomial number of evaluations f1(x), . . . , fk(x) (by internally computing all of them), but for our relations of interest, the number of (x, y) ∈ R (for a fixed x) can be close to 2m (for m = |y|)! As a result, proving that the [CCH+19, PS19] hash functions satisfy this form of correlation intractability appears out of reach for current techniques.

CI for Approximable Relations We note that in order to instantiate Fiat-Shamir for round- by-round sound protocols (Section6), we implicitly rely on (and construct) hash families that are correlation intractable for approximations of a relation R in a sense similar to the abstraction introduced in [BKM20]. However, in our setting, we think of hash outputs as elements of [q]t and our metric of interest is Hamming distance in the space [q]t; correspondingly, our security requirement is stronger, in that we want CI for even extremely poor approximations of R (i.e. 1 distance significantly greater than 2 ). We achieve this notion of CI when R is any (sufficiently bounded) product relation using error-tolerant list-recoverable codes.

1.4.2 List-Recoverable Codes and Cryptography List-recoverable codes have previously been used [MT07, DS11, HIOS15, KNY18, BKP18] in cryp- tography in the context of domain extension [Mer88] for hash functions. That is, given a hash func- tion h : {0, 1}n → {0, 1}m, their goal is to construct another hash function H : {0, 1}∗ → {0, 1}m while preserving security properties such as collision-resistance. In particular we highlight the work of [HIOS15] who use list-recoverable codes to construct hash functions H that are indiffer- entiable from random functions (if h is modeled as a random oracle). In their construction (as well as in [MT07, DS11]), it suffices to use off-the-shelf Parvaresh-Vardy codes [GUV09], albeit in somewhat non-standard parameter regimes. For example, [HIOS15] considers a regime with (1) subexponential (rather than polynomial) time list-recovery and (2) input list sizes of size qδ for some 0 < δ < 1 (and q is the alphabet size). One notable difference between our use of list-recoverable codes as compared to [MT07, DS11, HIOS15, KNY18, BKP18] is that in the context of domain extension, precomposition with a list- recoverable code (i.e. encoding the input x and then hashing it) is the technique used; on the other hand, we post-compose a hash function h with a code (i.e. we encode the output h(x)) in order to facilitate a kind of “output compression” (rather than domain extension).

16 2 Preliminaries

2.1 Interactive Proofs and Zero-Knowledge Definition 2.1. An interactive proof for a language L with completeness error c = c(n) and soundness error s = s(n) consists of a probabilistic polynomial-time interactive verifier V such that:

• (Completeness:) If x ∈ L then there is an interactive function Px such that V (x), when interacting with Px, accepts with probability at least 1 − c(|x|). • (Soundness:) If x∈ / L then V (x), when interacting with any (even computationally un- bounded) interactive function P ∗, accepts with probability at most s(|x|).

If the error parameters c or s are omitted, by default we require them to be negligible functions. If c = 0, we say that the proof-system has perfect completeness.

One of the main metrics of a proof system is the number of messages m exchanged between the prover and the verifier before the verifier decides whether or not to accept. Typically, this depends only on the input length n of the verifier’s input. We call m = m(n) the message complexity of the proof system. It is useful to have a notion of efficiency for the prover as well as for the verifier. The appropriate notion turns out to depend on the “type” of the language L for which the interactive proof is designed.

• L ∈ NP and a strategy Px as above can be implemented in polynomial-time given x and an NP witness21 for x; or

• if L ∈ P and a strategy Px can be implemented in polynomial-time given only x, then we say that the proof-system has an efficient prover.

Definition 2.2 (Arguments). An (s, )-computationally sound interactive proof (or argument) for a language L is an interactive proof for L in which the soundness condition is weakened to:

• ((s, )-Computational Soundness): For all x ∈ {0, 1}n \L and all size-s prover strategies P ∗, it holds that V (x) when interacting with P ∗ accepts with at most  probability.

We omit s and  if for all s = s(n) ≤ nO(1), the protocol satisfies (s, )-computational soundness for some  = (n) ≤ negl(n).

Definition 2.3 (Public-Coin). An interactive proof or argument V is said to be public-coin if:

• For some `(n) ≤ nO(1) and every x ∈ {0, 1}n, the messages sent by V (x) are i.i.d. uniformly random `(n)-bit strings.

• The final output of V (x) when interacting with a prover P is a fixed polynomial-time com- putable function of x and the transcript τ of its interaction with P . We denote this output by V (x, τ). 21The notion of an NP witness relies on associating a relation R with the language L; such a relation will usually be implicit from context.

17 For 2-message arguments, we also consider the notion of adaptive soundness, in which a prover may decide what it is trying to prove after seeing the verifier’s first message. Definition 2.4 (Adaptive Soundness). Let V be a 2-message argument in which the verifier’s messages have length ` = `(n) and are independent of the statement x. V is said to be (s, )-adaptively sound if for all size-s circuit ensembles P ∗, the probability that V (x, σ, α) = 1 and x ∈ {0, 1}n \L is at most  when sampling

σ ← {0, 1}`(n) (x, α) := P ∗(1n, σ).

If for all s = s(n) ≤ nO(1), V is (s, )-adaptively sound for some  = (n) ≤ negl(n), then we say simply that V is adaptively sound.

Zero-Knowledge. We recall here the definition of auxiliary-input computational zero-knowledge, referred to henceforth simply as zero-knowledge. Our presentation follows [Gol07]. Definition 2.5. We say that an interactive proof (P,V ) for a language L is zero-knowledge, if for every (malicious) probabilistic polynomial-time verifier V ∗ there exists a probabilistic polynomial- time simulator Sim, such that for every (even inefficient) function z = z(x), referred to as the auxiliary input, the following two distribution ensembles are computationally indistinguishable:

∗  ∗ • viewP,V ∗(z(x))(x) x∈L, where viewP,V (x) includes the entire view of the verifier V in the interaction with P on common input x and auxiliary input z; and  • Sim(x, z(x)) x∈L.

2.2 Cryptographic Primitives and Assumptions Definition 2.6 (Non-Interactive Statistically Binding Commitments in the CRS Model). A non- interactive bit commitment scheme in the CRS model is a pair of efficient randomized algorithms (Setup, Com), where: • Setup(1λ) outputs a string crs, which we refer to as a common reference string. • Com(crs, m; r) takes as input a common reference string crs and a message m ∈ {0, 1}; then, using randomness r, it outputs a commitment com. We require the following security properties: • Statistical binding: With high probability over crs ← Setup(1λ), there do not exist any two strings r0, r1 such that Com(crs, 0; r0) = Com(crs, 1; r1). • Computational hiding: The distribution of (crs, com) when sampling

crs ← Setup(1λ) com ← Com(crs, 0) is computationally indistinguishable from the distribution when sampling crs ← Setup(1λ) com ← Com(crs, 1).

18 Given a commitment string com and common reference string crs, we call a valid message-randomness pair (m, r) an opening for com. Remark 2.7. Any public-key encryption scheme PKE = (Gen, Enc, Dec) with perfect decryption correctness22 implies a non-interactive commitment scheme in the CRS model: The CRS is a public key pk, and a commit to a message m is an encryption of m under pk. Moreover, this commitment scheme has the following “trapdoor extractability” property: given the secret key sk corresponding to pk and a (potentially malicious) commitment com, one can efficiently compute m such that the only possible opening of com (if any) is to m.

Learning with Errors (LWE). We next define the learning with errors problem [Reg03]. Definition 2.8. The (Decisional) Learning With Errors (LWE) assumption with parameters n = n(λ), m = m(λ), q = q(λ), χ ∈ D(Zq), denoted by LWEn,m,q,χ, states that the distribution ensembles n×m T T T {(A, b)}λ and {(A, r)}λ are computationally indistinguishable, where A ← Zq , b = s A + e n m m (mod q), s ← Zq , e ← χ and r ← Zq . The subexponential variant of the LWE assumption states that for some  > 0, every size-2n adversary has advantage at most 2−n in distinguishing these two distributions. The subexponential advantage variant of the LWE assumption states that for some  > 0, every poly-size adversary has advantage at most 2−n in distinguishing these two distributions. A typical parameter setting for LWE (which suffices for our purposes) is q = poly(n), m = Θ(n log q) and χ defined to be the uniform distribution on [−B,B] ⊆ Zq for B = poly(λ) (but significantly smaller than q).

2.3 Correlation-Intractable Hash Functions In this section, we recall the notion of correlation intractable hash functions as introduced by Canetti, Goldreich and Halevi [CGH98].23 We first give a syntactic definition of keyed hash func- tions.

Definition 2.9. A hash family is a collection H = {hλ : Iλ ×Xλ → Yλ}λ∈Z+ of keyed hash functions such that {Iλ} is uniformly poly(λ)-time sampleable and {hλ} is uniformly poly(λ)-time evaluable. We will also write Hλ to denote the distribution on functions hλ(I, ·) obtained by sampling I ← Iλ. Correlation-intractability is defined as follows.

Definition 2.10 (Correlation-Intractability). For a hash family H = {hλ : Iλ × Xλ → Yλ}λ and CI a relation ensemble R = {Rλ ⊆ Xλ × Yλ}, the correlation intractability game GH,R is the following game, played by any adversary A against a fixed “challenger” C:

λ 1. On input 1 , C samples I ← Iλ and sends I to A.
2. A sends x ∈ Xλ to C, and wins the game if x, hλ(I, x) ∈ Rλ.

22In fact, it is sufficient if for almost all key pairs (pk, sk), it holds for all messages m and randomnesses r that Decsk, Enc(pk, m; r)
= m. 23A related security notion was introduced by Okamoto [Oka93] in the context of applying Fiat-Shamir to a particular identification scheme.

19 We say that H is s(·), (·)
-correlation intractable for R if for every size-s(λ) circuit A and every sufficiently large λ, the adversary A wins the correlation intractability game with probability at most (λ). If we omit s, we mean (s, )-security simultaneously for all s(λ) ≤ λO(1). If we omit , we mean (s, )-security simultaneously for all (λ) ≥ λ−O(1).

Theorem 2.11 ([PS19]). Assume that LWE m holds for a particular parameter setting 2 log q ,m,q,B q = poly(m),B = qΩ(1). Then, for every triple of polynomials T = T (λ), n = n(λ), m = m(λ), there exists a hash function family H : {0, 1}n → {0, 1}m log q that is correlation-intractable for every function ensemble f = {fλ}λ that is computable in time T (λ).

2.4 The Fiat-Shamir Transform Definition 2.12. Let Π = (P,V ) be a public-coin interactive protocol and denote its messages by α1, β1, . . . , αr, βr, where the αi’s are the prover messages and the βi’s are the verifier mes- sages. Suppose that all verifier messages have length `. For a family H of hash functions mapping ∗ ` {0, 1} → {0, 1} , we define FSH[Π] to be the non-interactive protocol obtained by sampling as a common reference string h ← H, and replacing each verifier message βi by h(x, α1, β1, . . . , αi), where x is the main input to the protocol. The verifier for FSH[Π] accepts if and only if the under- lying verifier accepts and all messages βi were computed correctly. In case Π is defined in the CRS model, with CRS σ, then we likewise view FSH[Π] as a protocol in the CRS model, using the CRS (σ, h).

Definition 2.13. We say that a hash function family H is FS-compatible with an interactive proof Π for a language L, if the non-interactive protocol FSH[Π] is an adaptively sound argument for L. We say that H is non-adaptively FS-compatible with Π if FSH[Π] is a (not necessarily adaptively) sound argument for L. We say that H is FS-compatible (or non-adaptively FS-compatible) with quantitative security λ −λ SubExp(λ) (for λ = λ(n)) if in addition there exists  > 0 such that FSH[Π] is (2 , 2 )- computationally sound.

[DNRS99] established the following negative connection between the existence of FS-compatible hash functions and zero-knowledge.

Theorem 2.14 ([DNRS99]). Let Π be a public-coin interactive proof for a language L. Suppose that there exists an FS-compatible hash function family H for Π. Then, if Π is zero-knowledge, then L ∈ BPP.

The proof of Theorem 2.14 is simple but not exactly in this form in [DNRS99], so we provide a proof for completeness.

Proof Sketch. Suppose that Π is zero-knowledge and consider a cheating verifier V ∗ that gets as auxiliary input a hash function h and answers each prover message by applying h to the transcript thus far (as in Fiat-Shamir). Since Π is zero-knowledge, there exists a simulator Sim for V ∗. Consider a decision procedure D for L that samples a random hash function h, runs Sim(x, h) (i.e., using h as the auxiliary input) and accepts if any only if (1) the transcript is accepting, and (2) the verifier messages in the transcript are computed correctly (i.e., by applying h).

20 First observe that if x ∈ L, by the zero-knowledge property the simulated transcript τ is computationally indistinguishible from the real interaction. By completeness, the real interaction produces an accepting transcript and so τ is accepting (and consistent with h) with all but negligible probability. Thus, D(x) accepts with all but negligible probability if x ∈ L. Next, note that if x 6∈ L, the soundness of FSH(Π) implies that D(x) accepts with only negligible probability. This is because, given a Fiat-Shamir hash function h, one efficient cheating strategy ∗ P for FSH(Π) is to run Sim(x, h) and send the simulated τ transcript as its message. Therefore, such a transcript can be accepting (and consistent with h) with only negligible probability. We conclude that D is a BPP algorithm for L.

2.5 Error Correcting Codes and List Recovery Definition 2.15. A q-ary code is a function C : M → [q]n, where n is called the block length, M is called the message space, and [q] is called the alphabet of C. The distance of C is the minimum Hamming distance between C(m) and C(m0) for distinct m, m0 ∈ M. If C has distance d, then its relative distance is d/n.

When discussing the asymptotic performance of codes, it makes sense to consider ensembles of nk codes {Ck : Mk → [qk] }k∈Z+ with varying parameters. We will only consider constructable codes, which are ensembles for which:   • There is an efficiently computable (and invertible) bijection between Mk and |Mk| , and |Mk| is computable in time poly(k).

k • qk, and nk are computable given 1 in time poly(k).

• There is a polynomial-time algorithm E that, given m ∈ Mk (represented as an integer in   |Mk| ), outputs Ck(m). Definition 2.16 (Concatenated Code [For66]). Let C : M → [Q]N and c :[Q] → [q]n denote codes. The concatenated code C ◦ c : M → [q]Nn is defined by
(C ◦ c)(m)(i−1)n+j = c C(m)i j, for all m ∈ M, i ∈ [N], and j ∈ [n].

 n Definition 2.17 (List-Recoverable Codes [GI01,GS98]). An ensemble of codes Ck : Mk → [qk] k + + + is said to be (α(·), `(·),L(·))-list recoverable (for α : Z → (0, 1) and `, L : Z → Z ) if there is a polynomial-time algorithm Recover that:

+ • Takes as input k ∈ Z and explicit descriptions of “constraint” sets S1,...,Snk ⊆ [qk] with each |Si| ≤ `(k);

• Produces as output a list of at most L(k) messages, containing all m ∈ Mk for which (Ck(m))i ∈ Si for at least an α(k) fraction of i ∈ [nk].

The code {Ck} is said to be combinatorially (α, `, L)-list recoverable if an arbitrarily inefficient algo- rithm Recover exists with the above functionality. If α = 1, we omit it.

When ` = 1, list recoverability is the same as the more common notion of list decodability.

21 2.6 Concentration Inequalities

Theorem 2.18 (Multiplicative Chernoff). If X1,...,Xn are independent {0, 1}-valued random def P def variables with X = i Xi and µ = E[X], then for all δ ≥ 0, !µ eδ Pr[X ≥ (1 + δ)µ] ≤ . (1) (1 + δ)1+δ

Corollary 2.19. There is an absolute constant c > 1 such that if X and µ are as above, then for any τ ≥ 3µ, we have Pr[X ≥ τ] ≤ c−τ .

Proof. Follows from viewing τ as (1 + δ)µ for δ ≥ 2 and rewriting Eq. (1) as

!(1+δ)µ eδ/(1+δ) Pr[X ≥ (1 + δ)µ] ≤ 1 + δ  1 + δ −τ = eδ/(1+δ) 3−τ ≤ . e

Theorem 2.20 (Additive Chernoff). If X1,...,Xn are independent {0, 1}-valued random variables def P def with X = i Xi and µ = E[X], then for all  ≥ 0,

 1  2 Pr X ≥ µ +  ≤ e−2 n. (2) n

3 Derandomization for Correlation Intractability

In this section, we describe and analyze two derandomization techniques that help achieve correla- tion intractability for more expressive relation classes. The first technique, described in Section 3.1, gives a reduction from CI for (approximate) product relations to CI for functions, based on list- recoverable codes. Next, in Section 3.2, we show a generic technique for reducing the alphabet size of product relations using subsampling.

3.1 Correlation Intractability via List Recovery Throughout this section, let R ⊆ X × Y t be a binary relation. Our positive result on correlation intractability are for relations with a product structure along with relatively mild sparsity and computational efficiency requirements.

Definition 3.1 (Product Relation). We say that R is a product relation if for every x, the set t Rx = {y :(x, y) ∈ R} ⊆ Y has a decomposition

Rx = S1 × S2 × ...St

(where S1,...,St may depend on x).

22 We generalize Definition 3.1 to handle (a large fraction of) errors: Definition 3.2 (Approximate Product Relation). We say that R is an α-approximate product t t relation if for every x, the set Rx = {y ∈ Y :(x, y) ∈ R} consists exactly of all those y ∈ Y for which

{i ∈ [t]: yi ∈ Si} ≥ αt. for some sets S1,...,St ⊆ Y that may depend on x. We construct hash functions that are CI for (approximate) product relations satisfying a form of efficient verifiability. Definition 3.3 (Efficient Product Verifiability). We say that an (α-approximate) relation R is effi- ciently product verifiable if there is a polynomial-size circuit C such that, on every input x with some corresponding sets (S1,...,St) (as in Definition 3.2) corresponding to x, it holds that C(x, y, i) = 1 if and only if y ∈ Si. Whenever we consider an approximate product relation R, we assume (and, when necessary, n o provide) a specific decomposition (S1,x,...,St,x) for R; the decomposition is represented by x∈X a circuit deciding membership of y in Si,x given (x, y, i). The notion of sparsity that is most relevant for these relations is simply a bound on the (relative) size of the component sets Si: Definition 3.4 (Product Sparsity). We say that a product (resp., α-approximate product) rela- tion R has product sparsity ρ if for every input x, the sets S1,...,St as in Definition 3.1 (resp., Definition 3.2) have size at most ρq. In order to construct a hash family that is correlation intractable for (approximate) product relations, we simply compose a “base” CI hash function with an appropriate list recoverable code. Definition 3.5 (Encoded Hash Function). Let h : I × X → Z be a hash function with index set I, domain X, and codomain Z, and let C : Z → Y t be a (probabilistically) constructable code24 (see Section4). We write C ◦ h to denote the hash function h˜ : I˜ × X → Y t, where I˜ def= I × C and   h˜(i, C), x
def= C hi, x
.

In order to analyze the correlation intractability of encoded hash functions, we introduce a kind of derandomization for (approximate) product relations R, which will help us achieve correlation intractability for R. Specifically, if R ⊆ X × Y t is a product (or approximate product) relation and C : Z → Y t is a code, we define n
o R˜C = (x, z): x, C(z) ∈ R . The following lemma then holds syntactically.

Lemma 3.6. If C is a (probabilistically) constructable code ensemble, R = {Rλ} is a relation (ensemble) and if H is a hash family that is correlation intractable for R˜C , then C ◦ H as in Definition 3.5 is a hash family that is correlation intractable for R. 24We omit the parameterization of h (respectively C) by a security parameter (respectively the message length) for simplicity.

23 Proof. Suppose that C ◦ H is not CI for R; then, there exists an efficient adversary A(h) that on input h ← H, outputs an x such that (x, C(h(x)) ∈ R with non-negligible probability. By the definition of R˜C , we know that (x, C(h(x)) ∈ R implies that (x, h(x)) ∈ R˜C , so this contradicts the CI of H with respect to R˜C .

Theorem 3.7. Let T be an arbitrary time bound; then, define R = Rα,,T to be the class of all time-T verifiable α-approximate product relations R ⊆ X ×Y t with product sparsity 1−. Moreover, suppose that

• C : Z → Y t is a code that is (α, (1 − )q, L) list-recoverable in poly(L)-time, with L = poly(n, q); and

negl(λ) • The hash family H is (quantitatively T 0 -) correlation intractable for all functions that are computable within some sufficiently large time bound T 0 = poly(T, t, |Y |).

Then, C ◦ H is correlation intractable for all relations in R. In particular, when T, |Y |, t are all fixed polynomials in a security parameter λ, then if H is CI for functions computable in poly(λ) time, then C ◦ H is CI for R.

Proof. Lemma 3.6 tells us that for any time-T verifiable (approximate) product relation R, the hash family H0 is CI for R as long as H is CI for the derandomized relation R˜ above. We now claim that subject to the hypotheses above, R˜ is efficiently enumerable in the sense of [CCH+19]: there is an efficient (meaning poly(T, t, |Y |)) algorithm that, given x, enumerates all z ∈ Z such that (x, z) ∈ R˜C . Indeed, this is possible via the following procedure:

• First, construct the sets S1,...,St given x = (x1, . . . , xt); this can be done in time t · T · |Y |.

• Then, evaluate Recover(S1,...,St). By the correctness of list-recovery, this produces (with high probability) a poly-size list of all z ∈ Z for which (x, z) ∈ R˜C .

The runtime of this entire enumeration procedure is a fixed polynomial poly(T, t, |Y |). Finally, we recall that in [CCH+19] (see [CLW18] Section 3.1), it was noted that if H is -CI for time-T 0  0 ˜ computable functions, then it is T 0 -CI for time-T enumerable relations (and in particular R); thus, we conclude that H0 is CI for R with the claimed quantitative parameters.

3.2 Handling Large Alphabets via Subsampling While Theorem 3.7 could plausibly apply to product relations in X × Y t with |Y | = λω(1), our instantiations (Theorems 5.1 and 6.1) can only directly handle alphabets of size |Y | = poly(λ); this is because we employ list-recovery algorithms that take as input (uncompressed) lists of size |Y |Ω(1) (and we also explicitly assume that t ≥ |Y |Ω(1) in our code constructions). However, we can achieve correlation intractability even for large values of |Y | — assuming we 1 ˜ have sparsity ρ ≤ 1 − poly(λ) . We do so by first subsampling a random sub-alphabet Y ⊆ Y and restricting the relation R to this sub-alphabet. That is, given a relation R ⊆ X × Y t and alphabet Y˜ ⊆ Y , we define

˜ t RY˜ = R ∩ X × Y ) (3) We note that:

24 • If membership in a set Si can be verified in time T , then membership in Si ∩Y˜ can be verified in time T + |Y˜ | log |Y |.

• A hash function that is CI for RY˜ is also CI for R when viewed as a hash function with output space Y˜ t ⊆ Y t. Moreover, we note that a sufficiently large (random) subset of Y preserves the sparsity of the Si under intersection. Lemma 3.8. Suppose that R ⊆ X × Y t is an α-approximate product relation with product sparsity + ˜ log |X|+log t+λ ρ. For some  > 0 and λ ∈ Z , let Y ⊆ Y be a uniformly random subset of size q ≥ 2 , ˜ Y
i.e. Y is sampled uniformly at random from q . −λ Then RY˜ as defined in Eq. (3) is an α-approximate product relation that, with probability 1−2 ˜ Y
over the choice of Y ← q , has product sparsity ≤ ρ + .

Proof. This follows from union bounding over |X| · t subsets Sij ⊆ Y (depending on the relation and indexed by i ∈ X, j ∈ [t]), each of size at most ρ|Y |. For each such Sij, when Y˜ is sampled as λ −2 above, it holds with probability at least 1 − (t · |X| · 2 ) that the intersection Sij ∩ Y˜ has size at most (ρ + ) · |Y˜ |. This follows from a standard Chernoff bound (Theorem 2.20).

We conclude that sub-sampling gives a reduction from CI over large alphabets to CI over polynomial-size alphabets. Corollary 3.9. Let R ⊆ X × Y t be an α-approximate product relation with product sparsity ρ, log |X|+log t+λ and let q = q(λ) be an integer such that q ≥ 2 , where λ is a computational security parameter. ˜ Y
˜ t Suppose that for each Y ∈ q , HY˜ is a family of hash functions mapping X → Y that is CI for α-approximate product relations with product sparsity ρ + . Then the hash family H, where a ˜ Y
random element of H is sampled as h ← HY˜ for uniformly random Y ← q , is CI for R. Corollary 3.9 will be used in Section5 and Section6 to obtain CI hash functions with large out- put alphabets, which in turn yields Fiat-Shamir instantiations for parallel repetitions of interactive proofs with large verifier challenge spaces.

4 Basic List Recovery Bounds

In this section, we recall and rephrase some facts about the list-recoverability of three objects from the coding-theory literature: Parvaresh-Vardy codes [PV05, GR08], random codes (as analyzed by [GI01]), and generic code concatenation [For66]. These bounds will be used in Section5 and Section6 to build new codes that combine with Theorem 3.7 in different ways. We begin with a description of what is achieved by Parvaresh-Vardy codes. Theorem 4.1 (Parvaresh-Vardy codes [PV05, GR08]). There is an explicit code C :[q]k → [qs]q,

+ parameterized by integers s, k, q ∈ Z (with q a power of two) such that for every α ∈ [0, 1], the code is (efficiently) (α, `, L)-list recoverable in time poly(2s)s, q, `
as long as  α s+1 qs ` < · s + 1 ks

25 and q` L > c · (2s)s · k for some absolute constant c. C can be evaluated in time less than the above bound on the time required to list recover.

We also need bounds on the list-recoverability of random codes. List-recovery bounds for ran- dom (and flavors of pseudorandom) codes were stated (but not proved) in [GI01]; for completeness we prove here the results that we use. We first give the fully parameterized result and then specialize to parameter regimes of interest.

Theorem 4.2. There exists a constant c > 0 such that for any q, Q, α, `, and L (all of which are functions of n), a random function f :[Q] → [q]n is combinatorially (α, `, L)-list recoverable with probability 1 − 2−Ω(L) as long as  q  L ≥ c · Q · ρ + ` · n · log , (4) ` where the parameter ρ is ρ def= Pr Binomn, `/q
≥ αn . This list recovery can be done (by brute force) in time O(Q · n · ` · log q). Evaluation of f can be done in time O(Q · n · log q).

Theorem 4.2 follows by a straightforward application of the probabilistic method, details follow.

Proof. Let f be a random function mapping [Q] → [q]n. We want to show that with high probability, −1 for all sets S1,...,Sn ⊆ [q] of size `, the size of the set f (B) is at most L, where by B we denote

def n n o B = z ∈ [q] : |i ∈ [n]: zi ∈ Si| ≥ αn .

q
n q·e
`n We analyze this by union bounding over ` ≤ ` events corresponding to the possible choices of S1,...,Sn. To analyze an individual one of these events, we note that for fixed sets S1,...,Sn, the random variable f −1(B) follows a binomial distribution Binom (Q, ρ˜), for h i ρ˜ def= Pr z ∈ B z←[q]n h i = Pr i ∈ [n]: zi ∈ Si ≥ αn z←[q]n ≤ Pr Binomn, `/q
≥ αn = ρ.

A multiplicative Chernoff bound (Corollary 2.19) implies that for some constant c0 > 0, h i −1 −L Pr f (B) > L < c0 , provided that L > 3˜ρ · Q.

26 Then, the union bound gives the desired conclusion about f as long as

q · e`n c−L · ≤ 2−Ω(L), 0 `

q
which holds if L ≥ c1 ·`n·log ` for some absolute constant c1 > 0. Combining these two conditions on L yields Theorem 4.2.

We also make use of the (known) fact that concatenated codes inherit list recoverability from their constituent parts.

Lemma 4.3. Suppose that

N α−β 0 • C : M → [Q] is an ( 1−β , ` ,L)-list recoverable code and • c :[Q] → [q]n is a (β, `, `0)-list recoverable code

+ for 1 ≥ α > β > 0 and `, L ∈ Z . Then C ◦ c is (α, `, L)-list recoverable. Moreover, if list-recovery for C can be computed in time T and list-recovery for c can be computed in time t, then list-recovery for C ◦ c can be computed in time T + n · t. In the special case of errorless list recovery (α = 1), it suffices for C to be (`0,L)-list recoverable and c to be (`0, `)-list recoverable to imply that C ◦ c is (`, L)-list recoverable.

Proof. Let {Si,j}i∈[N],j∈[n] be subsets of [q] of size at most `. We want to bound the size of the set

def S = {m ∈ M :(C ◦ c)(m)i,j ∈ Si,j for at least αnN choices of (i, j)} .

To do this, we note that by Markov’s inequality, for any m ∈ S with (C ◦ c)(m) = z1,1, . . . , zN,n, we have α − β {i ∈ [N]: z ∈ S for at least β · n choices of j ∈ [n]} ≥ N. i,j i,j 1 − β Therefore, the (β, `0, `)-list recoverability of c implies that there exist lists L(1),...,L(N) ⊆ [Q] 0 (i) α−β of size at most ` such that for all such m, C(m)i ∈ L for at least 1−β N choices of i. By the α−β ( 1−β , `, L)-list recoverability of C1, there are at most L such messages m. Moreover, the collection of such messages can be recovered in time T + N · t via the following algorithm:

(1) (N) • Given the collection of sets {Si,j}, compute the lists L ,...,L defined by these sets (with respect to c) in (total) time N · t.

• Then, run the list recovery algorithm for C on L(1),...,L(N) to obtain the final list.

Finally, in the case of errorless list recovery, we have by assumption that all symbols zi,j of each block have to lie in the appropriate Si,j, so the claim follows.

27 5 Fiat-Shamir for Commit-And-Open Protocols

In this section, we obtain our positive results for Fiat-Shamir by applying Theorem 3.7. In Section 5.1, give a CI instantiation for product relations (Theorem 5.1). To prove this theo- rem, we give a randomized construction of codes that are (`, L)-list recoverable for large values of `; the codes are obtained by concatenating Parvaresh-Vardy codes [PV05] with a random code. We carefully choose the parameters of the two codes to optimize the block-length of the concatenation. We augment Theorem 5.1 with alphabet reduction (Corollary 3.9) to handle larger alphabets. In Sections 5.2 and 5.3, we state and prove our Fiat-Shamir instantiations. We give a general result for (parallel repetitions of) 3-message protocols with efficiently verifiable bad challenges, and then focus on commit-and-open protocols (Definition 5.10) as a special case. Finally, in Section 5.4, we state our negative results on parallel repeated zero knowledge, which are obtained by invoking [DNRS99].

5.1 Correlation Intractability for Efficiently Verifiable Product Relations Our main result in this section is a construction of correlation intractable hash families for product relations over polynomial-size alphabets.

tλ Theorem 5.1. Let R = Rλ ⊆ Xλ × Yλ be an ensemble of product relations that are time-T (λ) product-verifiable as in Definition 3.3 with product sparsity at most ρ, where |Yλ|, log |Xλ|, T (λ), O(1) and tλ are all upper bounded by λ and tλ ≥ λ/ log(1/ρ). tλ Then there exists a hash family H = {Hλ : Xλ → Yλ }λ∈Z+ that is correlation intractable for R under the LWE assumption. Moreover, H depends only on (X, Y, ρ, t, T ) (and is otherwise independent of R) and can be evaluated in time poly(log |X|, |Y |, t, T ). Several remarks follow on the efficiency properties of Theorem 5.1: • The dependence of the evaluation time on H on |Y | can be reduced if R’s product decom- position can be computed explicitly in time  |Y | · T (which is the generic bound for a time T -product verifiable relation). This can apply in situations where ρ is very small. Al- ternatively, all dependencies on |Y | can be generically reduced via alphabet reduction (see Theorem 5.5).

• If we write ρ = 1 − , it suffices to have tλ ≥ λ/ (which approaches λ/ log(1/ρ) for small ). • With our usual “polynomial hardness” notions of security—that is, requiring that any poly(λ)- size adversary cannot win correlation intractability games with probability λ−Ω(1)—it is equiv- alent (by a standard scaling argument) to replace this requirement by the seemingly weaker δ requirement that tλ ≥ λ / log(1/ρ) for any arbitrarily small constant δ > 0.

• Under a sub-exponential variant of LWE, the requirement that tλ ≥ λ/ log(1/ρ) can be c weakened to tλ ≥ log λ/ log(1/ρ) for a large enough constant c, while still retaining standard polynomial security in the correlation intractability of the resulting hash family.

• On the other hand, correlation intractability against larger adversaries (or smaller success probabilities) is also achievable by increasing tλ. For example, assuming sub-exponential λ c LWE, it is possible to achieve security against size-2 adversaries by requiring tλ ≥ λ / log(1/ρ) for a sufficiently large constant c.

28 To prove Theorem 5.1, we first construct a family of list-recoverable codes for our parameter regime of interest. We start with the following proposition, which follows immediately from The- orem 4.1 and gives list recoverable codes in the errorless case (i.e., α = 1), with polynomial input list sizes, output list size, alphabet and block length.

Proposition 5.2. For all constants c and all ` = `(k) ≤ kc, there exists a constructable ensemble of codes n k O(k2)o C = Ck : {0, 1} → [Qk] k∈Z+ 4
c for some ` ≤ Qk ≤ O(` ) such that Ck is `, O(k`) -list recoverable in time poly(k, `, c ). Proof. Suppose we are given a polynomially bounded function `(·). We obtain such an ensemble from Theorem 4.1 by setting:

• α = 1;

• s = 2 logk(`), which is bounded by a constant depending on `(·); and • q is the smallest power of two that is at least k2,

2 s 4 which results in Qk ≤ (2k ) ≤ O(` ). We remark that it is also possible to set q = O(k1+) for an arbitrarily small constant  > 0, which would result in a slightly better bound for the block length of C, but no qualitatively new applications for Fiat-Shamir. We additionally use the following bound on the list recoverability of random functions (without errors), which follows from Theorem 4.2

Proposition 5.3. For all ` = `(k), q = q(k), L = L(k), and Q = Q(k) satisfying ` < q and l log Q m n L ≥ ` · ω(log Q), setting n = n(k) = log(q/`) , a random function f :[Q] → [q] is combinatorially `, L
-list recoverable with probability 1 − 2−Ω(L).

l log Q m def n Proof. We apply Theorem 4.2 with α = 1 and n = log(q/`) , which ensures that ρ = (`/q) is q
at most 1/Q. Because n · log(q/`) is O(log Q), we have that L ≥ ω Q · ρ + ` · n · log ` , from which it follows by Theorem 4.2 that f is combinatorially (`, L)-list recoverable with probability 1 − 2−Ω(L).

Concatenating the codes of Propositions 5.2 and 5.3 yields codes with list recoverability param- eters that are useful for our applications.

Lemma 5.4. For all ` = `(k), q = q(k) with ` < q ≤ kO(1), there exists a probabilistically constructable ensemble of codes

k2 log(k)
 k O Ck : {0, 1} → [q] log(q/`)

2
O(1) −Ω(k) such that each Ck is `, O(k `) -list recoverable in time k with all but 2 probability. logk(`) 1 More precisely, the running time is a fixed polynomial in k, `, logk(`) , and log(q/`) .

29 Proof. Consider any choice of ` = `(k) and q = q(k) as above. Then by Proposition 5.2, there
4 0 0 k O(k2) is some Q = Qk ≤ k` and a constructable ensemble of codes C = {Ck : {0, 1} → [Q] } that is k`, O(k2`)
-list recoverable in time kO(1). For this Q, Proposition 5.3 guarantees that l log Q m n with n = n(k) = log(q/`) , a random function f = fk :[Q] → [q] is combinatorially (`, k`)- list recoverable with probability 1 − 2−Ω(k`). Such an f is sampleable in time (k`)4 · n log(q) 4 because Qk ≤ (k`) . Similarly, the brute-force (`, k`)-list recovery algorithm for f runs in time (k`)4 · `n log(q). Concatenating C0 with f yields the desired ensemble:

 0 k k2·n (C ◦ fk): {0, 1} → [q] + k k∈Z is `(k),O(k2`)
-list recoverable in kO(1) time by Lemma 4.3.

Proof of Theorem 5.1. We are finally ready to prove our main theorem. We compose (a random instance of) the code from Lemma 5.4 with the CI hash family of Theorem 2.11. Theorem 3.7 then implies that the composition yields a good correlation-intractable hash family for the claimed relations.

The Large Alphabet Case. Finally, we combine Theorem 5.1 with Corollary 3.9 to obtain the following result on CI for product relations over large alphabets. We specialize this result to the case ρ = 1 −  for convenience.25

tλ Theorem 5.5. Let R ⊆ Xλ × Yλ be a product relation that is time-T product-verifiable (where log |X|, T, t = poly(λ)) with product sparsity at most 1 −  for  ≥ λ−O(1). tλ Then, if t ≥ λ/, there exists a hash family H = {Hλ : Xλ → Yλ }λ∈Z+ that is correlation intractable for R under the LWE assumption. Moreover, H depends only on (Xλ,Yλ,Tλ, tλ, ) and can be evaluated in time poly(log |X|, t, T ).

5.2 Fiat-Shamir for Trapdoor 3-Message Protocols We now describe a general Fiat-Shamir instantiation for 3-message public coin interactive proofs with trapdoor decidable bad challenges, defined below. This notion is a generalization of (instance- dependent) trapdoor Σ-protocols as defined in [CCH+19].

Definition 5.6 (Bad-Challenge Relation). Let Π denote a 3-message public coin interactive proof system for a language L in the (possibly empty) CRS model. We define the bad challenge relation R(Π,crs) for Π (with a fixed CRS crs) to be n o R(Π,crs) = (x|α, β): x 6∈ L and ∃γ : V (crs, x, α, β, γ) = 1 .

For an instance x 6∈ L, we define the non-adaptive bad challenge relation R(Π,crs,x) to be n o R(Π,crs,x) = (α, β): ∃γ : V (crs, x, α, β, γ) = 1 .

25The approximations incurred by this specialization cost at most a factor of O(log(λ)) in the number of repetitions our techniques can achieve for exact product relations.

30 Definition 5.7 (Trapdoor Decidable Bad Challenges). We say that a 3-message public-coin proof system Π for a language L in the CRS model has (time-T ) trapdoor decidable bad challenges if there exist • An efficient algorithm TrapGen(1λ) that outputs a pair (crs, td);

• A sparse binary relation R(td); and

• An algorithm BadChallengeTest(td, x, α, β) that takes as input the trapdoor td, the instance x, a first message α, and a second message (or challenge) β, satisfying the following properties: • When sampling (crs, td) ← TrapGen(1λ), the distribution of crs is statistically indistinguishable from that of an honestly generated CRS.

• R(td) contains the bad-challenge relation R(Π,crs) (Definition 5.6).

• BadChallengeTest(td, x, α, β) runs in time T and outputs 1 if and only if (x|α, β) ∈ R(crs). Definition 5.8. We say that Π has (time-T ) instance-dependent trapdoor decidable bad challenges if it satisfies Definition 5.7 with the following modifications: • TrapGen(1λ, w) also takes as input non-uniform advice w about the instance x; and

• BadChallengeTest and R(td,x) are defined with respect to the non-adaptive bad challenge rela- tion R(Π,crs,x) instead of with respect to R(Π,crs).

• CRS indistinguishability is only required to be computational. By applying Theorems 5.1 and 5.5, we obtain Fiat-Shamir instantiations for 3-message proof systems Π with (instance-dependent) trapdoor decidable bad challenges. Theorem 5.9. Suppose that Π is a 3-message public coin proof system that has time-T trapdoor decidable bad challenges, such that the relation R(td) in Definition 5.7 has sparsity at most 1 −  for  ≥ λ−O(1). Then, for any t ≥ λ/, there exists a hash family H that is FS-compatible with Π(t) (guaranteeing adaptive soundness). Similarly, if Π has time-T instance-dependent trapdoor decidable bad challenges and each R(td,x) has sparsity at most 1 − , then there exists an H that is FS-compatible with Π(t) (guaranteeing selective soundness). In both cases, H can be evaluated in time poly(T, t, λ). Proof Sketch. By (statistical) CRS indistinguishability, we may assume that crs is sampled as (crs, td) ← TrapGen(1λ) in the (adaptive) soundness security game. If Π is repeated t times in parallel, then following [CCH+19], we know that H is FS-compatible with Π(t) if it is CI for the relation

n
o R = x|α1| ... |αt, β1| ... |βt : ∃γ : V (x, αi, βi, γi) = 1 for all i. By the definition of BadChallengeTest, R is contained in the relation

0 n
o R = x|α1| ... |αt, β1| ... |βt : BadChallengeTest(td, x, αi, βi) = 1 for all i ,

31 By assumption on TrapGen, R0 is a time T verifiable product relation with product sparsity at most 1 − . Thus, the theorem follows from Theorem 5.1. The proof for the non-adaptive case is analogous.

5.3 Commit and Open Protocols A commit-and-open protocol is a ubiquitous type of protocol that always has trapdoor-decidable bad challenges when the commitment scheme is instantiated using public-key encryption.

Definition 5.10 (3-Message Commit-and-Open Protocol). An interactive proof system for a lan- guage L is said to be commit-and-open if it is defined relative to a statistically binding commitment oracle Com and has the following structure.

1. The verifier takes as an input a string x ∈ {0, 1}n.

2. The prover sends a message α consisting of a string of commitments (comi)i∈[M] for some M = M(n) ≤ nO(1).

3. The verifier V sends a random challenge β ← [q] for some q = q(n).

4. The prover sends a message γ containing openings of the commitments (comi)i∈Sβ , where th Sβ ⊆ [M] is a set that is efficiently computable from β. We denote the i such opening by (bi, di).

5. The verifier checks that for each i ∈ Sβ, (bi, di) is a valid opening of comi (and otherwise |Sβ |
rejects). If so, the verifier accepts if some predicate V x, α, β, (bi)i=1 = 1. In particular, this predicate ignores the di’s. The important attributes of Definition 5.10 (that distinguish commit-and-open protocols from arbitrary 3-message protocols) are that the third message only consists of openings, and that the verifier rejects incorrect openings and otherwise ignores the decommitments di. Therefore, by instantiating Com using a public-key encryption scheme, the PKE decryption key sk allows for efficient verification of whether a challenge β is “bad” for a pair (x, α), because the bits (bi) for a valid decommitment can be extracted from α using sk.

Lemma 5.11. Let Π denote a 3-message commit-and-open protocol. Then, if Com is instantiated using a public-key encryption scheme as in Remark 2.7, then Π has time-T trapdoor decidable bad challenges, where T is equal to the runtime of V (·) plus a fixed polynomial in the security parameter.

Proof. We give Π the syntax of a protocol with trapdoor decidable bad challenges as follows:

• TrapGen(1λ) is defined to sample (pk, sk) ← Gen(1λ) and output (crs = pk, td = sk).

• The relation R(td) is defined as

(td) n |Sβ | o R = (x|α, β): V (x, α, (bi)i=1 ) = 1, for bi = Dec(sk, comi) .

• The algorithm BadChallengeTest(td, x, α, β) parses α = (comi), computes bi = Dec(sk, comi) |Sβ | for all i ∈ Sβ, and computes V (x, α, (bi)i=1 ).

32 Correctness follows immediately from the decryption correctness property of PKE.

Given Lemma 5.11, Theorem 5.5 implies that all commit-and-open protocols have sound Fiat- Shamir instantiations when sufficiently repeated in parallel.

Theorem 5.12. Assume that LWE holds, and let Π be any 3-message commit-and-open interactive proof with soundness error 1 − , where  ≥ λ−O(1) for a computational security parameter λ. Let the commitment scheme in Π be instantiated using public-key encryption as in Remark 2.7. Then for any t = t(λ) ≥ λ/, there is a hash family H that is Fiat-Shamir compatible with Πt as in Definition 2.13. The hash functions in H are evaluable in time T · poly(λ), where T = T (n) is the running time of the verifier for Π, and n is the length of an input for Π.

Proof. This follows immediately from Theorem 5.9 and Lemma 5.11.

5.4 Zero Knowledge is Not Preserved by Parallel Repetition Finally, we invoke [DNRS99] to conclude that parallel repetition of commit-and-open protocols (such as GMW) does not preserve zero-knowledge.

Theorem 5.13. Assume that LWE holds. Then, there exists a commitment scheme C such that for every 3-message commit-and-open proof-system Π in the commitment oracle model (as per t Definition 5.10) for a language L/∈ BPP with soundness error 1 − , it holds that (ΠC ) is not zero-knowledge, where ΠC denotes the instantiation of the commitment oracle in Π by C and t = λ/ for a security parameter λ.

Proof. Fix C to be the public-key encryption based commitment-scheme of Remark 2.7. Let Π be a 3-message commit-and-open proof-system with soundness error 1 −  (in the commitment oracle model). Denote by ΠC the instantiation of Π using C in place of the commitment oracle. t By Theorem 5.12, there exists a hash function family H such that FSH[(ΠC ) ] is computationally t sound, where t = λ/. In other words, H is FS-compatible with (ΠC ) . t Thus, by Theorem 2.14, and using the assumption that L/∈ BPP, we have that (ΠC ) is not zero-knowledge.

Remark 5.14. Assuming the subexponential variant of LWE, the number of repetitions t in The- logc λ orem 5.13 can be reduced to  for some constant c > 1 (in fact, under the strongest plausible LWE assumption c can even be 1 + δ(n) for some δ(n) = o(1)). This still leaves open the somewhat bizarre possibility that for some very specific values of t (e.g., t = log(λ) · log?(λ)), the parallel repeated protocol Πt is both sound and zero knowledge. In fact, it is known that this sort of gap is difficult to avoid: [BLV03] show that for any HVZK commit-and-open protocol Π with poly-size challenge space, if Circuit-SAT has a 2o(n) time algo- rithm, then some ω(1)-parallel repetition of Π is zero knowledge. Thus, resolving this gap implies an exponential lower bound for Circuit-SAT.

6 Fiat-Shamir for Round-By-Round Sound Protocols

In this section, we extend the results of Section5 to the setting of Fiat-Shamir for multi-round protocols. We achieve this in three steps.

33 • In Section 6.1, we construct a (probabilistic) code with efficient list recovery in the presence of errors.

• We then combine this code with Lemma 3.6 to obtain a CI hash family for efficiently verifiable approximate product relations.

• In Section 6.2, we apply our new CI hash family to instantiate FS for a family of round- by-round sound interactive proofs. There are three variants of this result, depending on the precise efficiency requirement imposed on the interactive proof. In particular, we achieve FS instantiations for a larger class of protocols by making use of lossy correlation intractability [JKKZ20].

6.1 CI for Efficiently Verifiable Approximate Product Relations Our main result in this section is a construction of correlation intractable hash families for approx- imate product relations (see Definition 3.2) over polynomial-size alphabets.

Theorem 6.1. Let R ⊆ X × Y t be a time-T verifiable α-approximate product relation with product sparsity at most ρ < α. Set λ = t · (α − ρ)3. Then, assuming that all poly(T, λ)-time adversaries solve LWE26 with
probability at most , there is a hash family H = Hn that is T + poly(λ),  · poly(λ) -correlation intractable for R. Moreover, H depends only on (X, Y, T, t, α) (and not otherwise on R).

Remark 6.2. By pre-composing our hash family H with a lossy trapdoor function, we also obtain a hash family H0 satisfying lossy correlation intractability [JKKZ20] for the same class R of relations.

To prove Theorem 6.1, we first construct a family of list-recoverable codes in the presence of errors. We begin by describing the salient list recovery (with errors) properties of Parvaresh-Vardy codes, which follow as a corollary of Theorem 4.1.

Proposition 6.3. For every α = α(k) ≥ k−O(1) and every ` = `(k) ≤ kO(1), there exists Q(k) ≤ kO(1) and a constructable ensemble of codes

 k O(k2/α) Ck : {0, 1} → [Q(k)] + k∈Z that is (α, `, O(k`/α))-list recoverable in time kO(1), where the exponent depends on all previous parameters. More precisely, Q(k) is bounded by 2k2/α(k)
2 logk(`/α) and the list recovery algorithm’s running log (`/α) time is a fixed polynomial in k, `, 1/α, and logk(`/α) k . Proof. We obtain such an ensemble from Theorem 4.1 by setting:

• q to be the smallest power of two that is at least k2/α(k) (which is kO(1) because α(k) is k−O(1));

26 λ O(1) Specifically, we need to assume the hardness of LWEn,m,q,χ for n = O( log λ ), m = 2n log q, q = λ , and χ the uniform distribution on [−B,B] for some B = λΩ(1), as in Definition 2.8.

34 s+1  α  qs • s to be a large enough constant (depending on α) so that s+1 · ks > ` for all sufficiently large k. Specifically, one should set s to be the smallest integer that is at least logk(`/α). Next, we describe a corollary of Theorem 4.2, which (similarly to Proposition 5.3) focuses on asymptotics, this time for list recovery with errors.

` Proposition 6.4. For all q = q(k), ` = `(k), Q = Q(k), and α = α(k), ` < q, and α > q , there  q  `·log(Q)·log ` exists L = L(k) ≤ O (α−`/q)2 such that a random function

log Q f :[Q] → [q] 2(α−`/q)2 is combinatorially (α, `, L)-list recoverable with all but 2−Ω(L) probability.

log Q Proof. Given q, `, L, and α as above, define n = n(k) = 2(α−`/q)2 . This n is big enough that by the additive Chernoff bound (Theorem 2.20), we have

ρ def= Pr[Binom(n, `/q) ≥ αn] ≤ 1/Q.

 q  Then setting L = c · Q · ρ + ` · n · log ` for a large enough constant c and applying Theorem 4.2 implies the corollary.

By concatenating the two codes above (with carefully chosen parameters), we obtain codes with list recoverability parameters that are useful for our applications.

Lemma 6.5. For every ` = `(k), q = q(k), α = α(k) with ` < q ≤ kO(1) and α ≥ `/q + k−O(1), there is a probabilistically constructable ensemble of codes

k2 log k
n k O 3 o Ck : {0, 1} → [q] (α−`/q) k∈Z+ that is (α, `, kO(1))-list recoverable in time kO(1) with all but 2−Ω(k) probability. 27 1 More precisely, the running time of the list recovery algorithm is a fixed polynomial in k, `, α−`/q , and Q∗ for   2 ! ∗ 8`k log(q/`) 4k log (Q ) ≤ 2 log   log = O(1). k k `
3 k α − ` α − q q

def 1 ` Proof. Suppose we are given `, q, and α as above. Let β = 2 (α + q ). Proposition 6.4 guarantees O(1) O(1) log Q that for all Q = Q(k) ≤ k , there is some LQ = LQ(k) ≤ k such that with n(k) = 2(β−`/q)2 , n −Ω(L ) a random function fQ :[Q] → [q] is combinatorially (β, `, LQ)-list recoverable with all but 2 Q  q   q  `·log(Q)·log ` `·log k·log ` probability. More precisely, this LQ(k) satisfies LQ(k) ≤ O (β−`/q)2 , which is O (β−`/q)2 because we required that Q ≤ kO(1). For the same reason, the brute force list recovery algorithm O(1) for such an fQ is efficient (running in time O(Q · n · log q) = k ).

27We write down this explicit expression because it determines the runtime of the Fiat-Shamir hash functions in Theorem 6.13.

35  q  q ? ? `·log(Q)·log ` ? O(1) ? `·k·log ` Let L = L (k) satisfy ω (β−`/q)2 ≤ L ≤ k (for instance, set L = (β−`/q)2 ). Setting α−β ? ? O(1) α˜ = 1−β , Proposition 6.3 guarantees the existence of Q = Q (k) ≤ k such that there is a constructable ensemble of codes

 k ∗ O(k2/α˜) C = Ck : {0, 1} → [Q (k)]

 ?  ? ? kL
? 2 2 logk(L /α˜) that is α,˜ L ,O α˜ -list recoverable. More precisely, Proposition 6.3 gives Q (k) ≤ (2k /α˜) . Also note that α − β 1 α˜ = ≥ α − β = · (α − `/q) ≥ k−O(1) 1 − β 2 and ` 1 ` β − = (α − ). q 2 q

Choosing fQ = fQ? from above, we conclude that the concatenation

2 C ◦ f : {0, 1}k → [q]O(nk /α˜). satisfies our desired properties by Lemma 4.3.

By plugging the (randomized) code from Lemma 6.5 and the hash family of Theorem 2.11 into Theorem 3.7, we obtain Theorem 6.1.

6.2 Applications to Fiat-Shamir for Round-by-Round Sound Protocols Following [CCH+18, CCH+19], we consider the notion of round-by-round soundness to capture a form of soundness for interactive proofs of greater than 3 messages that is compatible with the notion of correlation intractability.

Definition 6.6 (Round-by-Round Soundness, [CCH+18, CCH+19]). Let Π = (P,V ) be a 2r + 1-message public coin interactive proof system for a language L. We say that Π has round-by- round soundness error δ(·) (or is δ-RBR sound) if there is a deterministic (not necessarily efficiently computable) function State, which takes as input an instance x and a transcript prefix τ and outputs either acc or rej such that the following holds:

1. If x 6∈ L, then State(x, ∅) = rej, where ∅ denotes the empty transcript.

2. For every input x and partial transcript τ = τi, if State(x, τ) = rej, then for every potential prover message αi+1, it holds that

h
i Pr State x, τ|αi+1|βi+1 = acc ≤ δ(n). βi+1

3. For any full transcript τ (i.e., consisting of 2r+1 messages), if State(x, τ) = rej then V (x, τ) = 0.

We say that Π is round-by-round sound if it has round-by-round soundness error δ for some δ(n) = negl(n).

36 By a union bound, a proof system with round-by-round soundness error δ has standard sound- ness error at most r · δ. Canetti et al. [CCH+18] related the soundness of Fiat-Shamir, when applied to a round-by-round sound protocol, to the correlation intractability of the hash function H.

Theorem 6.7 ([CCH+18, Theorem 5.8]). Suppose that Π = (P,V ) is a 2r + 1-message public- coin interactive proof for a language L with perfect completeness and round-by-round soundness with state function State. Let Xn denote the set of partial transcripts (including the input and all messages sent) and let Yn denote the set of verifier messages when Π is executed on an input of length n. Finally, define the relation ensemble R = RState as follows:

 n   x ∈ {0, 1} ,  (n) def 
  RState = x, τ|α , β : State(x, τ) = rej, and .  State(x, τ|α|β) = acc 

If a hash family H = {Hn : Xn → Yn} is correlation intractable for R, then the non-interactive protocol ΠFS,H is an adaptively sound argument system for L.

1 In this work, we consider protocols Π with round-by-round soundness error ρ < r . We then consider applying the Fiat-Shamir transform to a parallel repetition Πt (for sufficiently large t). To analyze this, we must also analyze how parallel repetition works for round-by-round sound protocols.28

Definition 6.8 (Threshold State Function). Let Π denote a 2r + 1-message public-coin interactive proof system with round-by-round soundness δ and corresponding state function State. We then define the threshold state function State(t) defined on the t-fold parallel repetition Πt: decomposing (t) a (partial) transcript of Π as a tuple (τ1, . . . , τt) (where each τi is a partial transcript for Π), we define

r − j State(t)(x, τ , . . . , τ ) = rej ⇐⇒ {i ∈ [t]: State(x, τ ) = rej} ≥ 1 + · (t − 1), 1 t i r where j is the number of verifier messages in each τi. Lemma 6.9. If Π is a protocol as in Definition 6.8, then State(t) gives Π(t) the structure of a round-by-round sound proof system with RBR soundness error bounded by ! t − 1 2 δ(t) := exp −2 − δ t , r · t

t−1 provided that r·t > δ. (t) Proof. This follows from the fact that for any partial transcript (x, τ1, . . . , τt), if State (x, τ1, . . . , τt) (t) t−1 = rej but State (x, τ1|α1,j+1|β1,j+1, . . . , τt|αt,j+1|βt,j+1) = acc, then at least r “slots” of τ 28In [CCH+18, CCH+19], it is noted that sufficient parallel repetition of any public-coin interactive proof results in a round-by-round sound protocol, but this transformation results in a rather complex State function; we want a transformation that roughly preserves the State function of the starting protocol (which we assume to satisfy some form of RBR soundness).

37 changed from rej to acc according to State. Thus, for any τ such that State(t)(x, τ) = rej and (t) any α = (α1,j+1, . . . , αt,j+1), the probability over β that State (x, τ|α|β) = acc is at most the t−1 probability that at least r out of t i.i.d. Bernoulli events with mean δ occur. By a Chernoff bound, this happens with probability at most δ(t), as desired.

The proof of Lemma 6.9 in fact shows that the “bad challenge relation” for (Π(t), State(t)) is t−1 an α-approximate product relation with product sparsity δ, where α = r·t . Therefore, if the relation RState(t) is efficiently product-verifiable (or, equivalently, the relation RState is efficiently verifiable), we can apply Theorem 6.1 to obtain a sound Fiat-Shamir instantiation for the protocol Π(t), provided that t is large enough.

6.2.1 Notions of Bad Challenge Efficient Decidability In this section, let Π be a 2r + 1-message (public-coin) interactive proof system for a language L. Definition 6.10 (Trapdoor Decidable Bad Challenges). We say that public-coin interactive proof Π for a language L in the CRS model has round-by-round soundness error δ with time-T trapdoor decidable bad challenges if there exist • An efficient algorithm TrapGen(1λ) that outputs a pair (crs, td); • A δ-sparse binary relation R(td); and

• An algorithm BadChallengeTest(td, x, j, τj−1|αj, βj) that takes as input the trapdoor td, the instance x, a transcript prefix τj−1|αj (consisting of j prover messages and j − 1 verifier messages), and a verifier message βj, satisfying the following properties: • When sampling (crs, td) ← TrapGen(1λ), the distribution of crs is statistically indistinguishable from that of an honestly generated CRS.

(td) • R contains the bad-challenge relation RState (Definition 5.6).

• BadChallengeTest(td, x, j, τj−1|αj, βj) runs in time T and outputs 1 if and only if (x|τj−1|αj, βj) ∈ R(State). Definition 6.10 is a strict generalization of Definition 5.7 and captures the multi-round protocols for which we can instantiate Fiat-Shamir based on polynomial hardness of appropriately chosen CI hash families. As in Section 5.3, a similar definition captures non-adaptively sound Fiat-Shamir instantiations. Definition 6.11. We say that Π has round-by-round soundness error δ with time-T instance-dependent trapdoor decidable bad challenges if it satisfies Definition 6.10 with the following modifications: • TrapGen(1λ, w) also takes as input non-uniform advice w about the instance x; and • BadChallengeTest and R(td,x) are defined with respect to the non-adaptive bad challenge rela- tion ( ) State(x, τ) = rej, and R = (τ|α, β): . State,x State(x, τ|α|β) = acc

instead of with respect to RState.

38 • CRS indistinguishability is only required to be computational. Finally, we give a third definition further generalizing the previous two in a way that captures the Sumcheck and GKR protocols with succinct bad challenge testing. However, this variant requires stronger assumptions on the CI hash compiler. Definition 6.12. We say that Π has round-by-round soundness error δ with time-T prefix-dependent trapdoor decidable bad challenges if it satisfies Definition 6.10 with the following modifications:

λ ∗ • TrapGen(1 , zβ∗ ) also takes as input non-uniform advice z = f(x, β ) about the instance x ∗ ∗ ∗ and a string β = (β1 , . . . , βr ) consisting of (fixed) verifier messages. • BadChallengeTest and R(td,x) are defined with respect to the non-adaptive bad challenge rela- (State,x) tion R instead of with respect to RState. Moreover, “correctness” is relaxed to the follow- ing set containment: for all rounds j and strings β∗, when sampling (crs, td) ← TrapGen(1λ, f(x, β∗)),

(td,x) n (State,x) ∗ ∗ o R ⊇ (τ|αj, βj) ∈ R :(β1, . . . , βj−1) = (β1 , . . . , βj−1) .

• CRS indistinguishability is only required to be computational.

6.2.2 Putting Everything Together Given our efficient bad challenge notions from Section 6.2.1 and our CI hash family from Section 6.1, we are ready to state our Fiat-Shamir result for round-by-round sound protocols. Theorem 6.13. Let Π be a 2r + 1-message (public-coin) interactive proof system for a language L + in which the verifier’s messages are uniformly random on [q] for some q ∈ Z and prover messages + are bit strings of length a = a(n). Let δ = δ(n) ∈ (0, 1) and λ = λ(n) ∈ Z be functions, and define λ t = . 1 3 ( 2r − δ) 1 ? Then, there exists TDec = TDec(n) that is a polynomial in λ, δq, 1 , and Q , where 2r −δ ! ! 8δq log(1/δ) λ2 log Q? = log log , λ λ 1
3 λ 1 − δ 2r − δ 2r such that: • If Π has round-by-round soundness error δ with time-T trapdoor decidable bad challenges, then assuming the hardness of LWE there is a hash family H that is adaptively FS-compatible with Πt as in Definition 2.13.

• If Π has round-by-round soundness error δ with time-T instance-dependent trapdoor decidable bad challenges, then assuming the hardness of LWE there is a hash family H that is non- adaptively FS-compatible with Πt.

• If Π has round-by-round soundness error δ with time-T prefix-dependent trapdoor decidable bad challenges, then under the subexponential advantage variant of the LWE assumption, there is a hash family H that is non-adaptively FS-compatible with Πt.

39 Moreover, • Assuming subexponential hardness for LWE, the first two results extend to also give FS- compatibility with SubExp(λ) quantitative security. • These hash families depend only on (a(·), q(·), δ(·),T (·), λ(·), r(·)) and otherwise do not depend on Π.
• Hash function evaluation can be done in time that is O (qT + TDec) · poly(λ) . The qT term can also be replaced by the amount of time required to enumerate bad challenges for Π.

Example Application: Fiat-Shamir for GKR We now sketch how, assuming subexponential LWE, Theorem 6.13 allows us to soundly apply the Fiat-Shamir transform to the doubly-efficient public-coin interactive proof of Goldwasser, Kalai, and Rothblum [GKR08]. This interactive proof, which we refer to as GKR, is applicable to (log-space uniform) bounded-depth computations. We will fix some family of (log-space uniform) circuits with depth d = d(n) and size s = s(n). GKR is additionally parameterized by a finite field of order q = q(n). The best efficiency (in our case) is achieved for q a power of two, which yields the following parameters: • The round complexity is O(d · log n); • The prover runs in time poly(s, log q); • The verifier runs in time n · poly(d, log s, log q); • The proof system has round-by-round soundness error δ = δ(n) with time-T (= T (n)) prefix- log n dependent trapdoor decidable bad challenges, where δ = O( q ) and T = poly(log n, log s, log q). In particular, the number of bad verifier challenges at any round is ` = O(log n) When applying the Fiat-Shamir transform to GKR, we would like to preserve the feature that the verifier’s running time is much less than (and ideally polylogarithmic in) the time required to evaluate the circuit. Specifically, we would like the Fiat-Shamir hash functions to be evaluable in time n · poly(d, log q, log s, log n). This was done by [JKKZ20] for very large q, i.e. q > (d`)κ1/ for a computational security parameter κ. Here we focus on the other extreme of parameter settings, where q is small (say polylog(n)), and soundness is amplified by parallel repetition. To accomplish this, when applying Theorem 6.13 we set λ = (d log n) · κ1/, where  denotes the exponent of our subexponential LWE assumption. Applying Theorem 6.13, we bound the runtime of the verifier as follows. First, note that 1 1 1 − δ ≥ = , 2r 4r 4d log(n) ? and so logλ(Q ) = O(A · B) for

A = logλ(8d` log(λ) log(n)) = O(1) and 2 B = logλ(λ d log(n))) = O(1). Therefore, Q? = poly(λ) = poly(d, κ) and so verification runs in time n · poly(d, κ, log s, q, log n), which is n · poly(d, κ, log s, log n) by the assumption that q is polylog(n). Finally, we note that:

40 • Because Theorem 6.13 gives us sub-exponential security in κ, if our goal is to achieve poly(n) security (i.e., negl(n) soundness error against poly(n) size provers), we can set κ = polylog(n). Then, the hash function evaluation time (and hence the verifier running time) will be O˜(n). • By using a root-finding algorithm (see [CCH+19, JKKZ20]) instead of a root verification algorithm (as used in Theorem 6.13 above) in our CI analysis, we can reduce the verifier runtime dependence on q to poly(`, log q) (instead of poly(q)), enabling us to handle all field sizes (not just polylogarithmic). • At the expense of a larger number of repetitions (incurring a multiplicative overhead of q), we could replace our Parvaresh-Vardy based code with a concatenation of a Reed-Solomon code with a random code for a faster running time of the hash function (i.e. some fixed polynomial in (λ, d) for all choices of λ, d instead of explicitly requiring λ ≥ d log(n)).

Acknowledgements

We thank Vinod Vaikuntanathan for helpful discussions and feedback.

References

[AK97] Vikraman Arvind and Johannes Köbler. On resource-bounded measure and pseudo- randomness. In International Conference on Foundations of Software Technology and Theoretical Computer Science, pages 235–249. Springer, 1997. [Bar01] Boaz Barak. How to go beyond the black-box simulation barrier. In 42nd FOCS, pages 106–115. IEEE Computer Society Press, October 2001. [BBC+14] Boaz Barak, Nir Bitansky, Ran Canetti, Yael Tauman Kalai, Omer Paneth, and Amit Sahai. Obfuscation for evasive functions. In Yehuda Lindell, editor, TCC 2014, volume 8349 of LNCS, pages 26–51. Springer, Heidelberg, February 2014. [BBH+19] James Bartusek, Liron Bronfman, Justin Holmgren, Fermi Ma, and Ron D. Rothblum. On the (in)security of kilian-based SNARGs. In Dennis Hofheinz and Alon Rosen, edi- tors, TCC 2019, Part II, volume 11892 of LNCS, pages 522–551. Springer, Heidelberg, December 2019. [BCS16] Eli Ben-Sasson, Alessandro Chiesa, and Nicholas Spooner. Interactive oracle proofs. In Martin Hirt and Adam D. Smith, editors, TCC 2016-B, Part II, volume 9986 of LNCS, pages 31–60. Springer, Heidelberg, October / November 2016. [BDG+13] Nir Bitansky, Dana Dachman-Soled, Sanjam Garg, Abhishek Jain, Yael Tauman Kalai, Adriana López-Alt, and Daniel Wichs. Why “Fiat-Shamir for proofs” lacks a proof. In Amit Sahai, editor, TCC 2013, volume 7785 of LNCS, pages 182–201. Springer, Heidelberg, March 2013. [BFJ+20] Saikrishna Badrinarayanan, Rex Fernando, Aayush Jain, Dakshita Khurana, and Amit Sahai. Statistical ZAP arguments. In Anne Canteaut and Yuval Ishai, editors, EURO- CRYPT 2020, Part III, volume 12107 of LNCS, pages 642–667. Springer, Heidelberg, May 2020.

41 [BGG90] Mihir Bellare, Oded Goldreich, and Shafi Goldwasser. Randomness in interactive proofs. In 31st FOCS, pages 563–572. IEEE Computer Society Press, October 1990.

[BKM20] Zvika Brakerski, Venkata Koppula, and Tamer Mour. NIZK from LPN and trapdoor hash via correlation intractability for approximable relations. In Daniele Micciancio and Thomas Ristenpart, editors, CRYPTO 2020, Part III, volume 12172 of LNCS, pages 738–767. Springer, Heidelberg, August 2020.

[BKP18] Nir Bitansky, Yael Tauman Kalai, and Omer Paneth. Multi-collision resistance: a paradigm for keyless hash functions. In Ilias Diakonikolas, David Kempe, and Monika Henzinger, editors, 50th ACM STOC, pages 671–684. ACM Press, June 2018.

[Blu86] Manuel Blum. How to prove a theorem so no one else can claim it. In Proceedings of the International Congress of Mathematicians, volume 1, page 2. Citeseer, 1986.

[BLV03] Boaz Barak, Yehuda Lindell, and Salil P. Vadhan. Lower bounds for non-black-box zero knowledge. In 44th FOCS, pages 384–393. IEEE Computer Society Press, October 2003.

[BM82] Manuel Blum and Silvio Micali. How to generate cryptographically strong sequences of pseudo random bits. In 23rd FOCS, pages 112–117. IEEE Computer Society Press, November 1982.

[BR94] Mihir Bellare and Phillip Rogaway. Entity authentication and key distribution. In Douglas R. Stinson, editor, CRYPTO’93, volume 773 of LNCS, pages 232–249. Springer, Heidelberg, August 1994.

[CCH+18] Ran Canetti, Yilei Chen, Justin Holmgren, Alex Lombardi, Guy N. Rothblum, and Ron D. Rothblum. Fiat-Shamir from simpler assumptions. Cryptology ePrint Archive, Report 2018/1004, 2018. https://eprint.iacr.org/2018/1004. Part 1 of [CCH+19].

[CCH+19] Ran Canetti, Yilei Chen, Justin Holmgren, Alex Lombardi, Guy N. Rothblum, Ron D. Rothblum, and Daniel Wichs. Fiat-Shamir: from practice to theory. In Moses Charikar and Edith Cohen, editors, 51st ACM STOC, pages 1082–1090. ACM Press, June 2019.

[CCR16] Ran Canetti, Yilei Chen, and Leonid Reyzin. On the correlation intractability of obfus- cated pseudorandom functions. In Eyal Kushilevitz and Tal Malkin, editors, TCC 2016- A, Part I, volume 9562 of LNCS, pages 389–415. Springer, Heidelberg, January 2016.

[CCRR18] Ran Canetti, Yilei Chen, Leonid Reyzin, and Ron D. Rothblum. Fiat-Shamir and correlation intractability from strong KDM-secure encryption. In Jesper Buus Nielsen and Vincent Rijmen, editors, EUROCRYPT 2018, Part I, volume 10820 of LNCS, pages 91–122. Springer, Heidelberg, April / May 2018.

[CGH98] Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodology, re- visited (preliminary version). In 30th ACM STOC, pages 209–218. ACM Press, May 1998.

42 [CLW18] Ran Canetti, Alex Lombardi, and Daniel Wichs. Fiat-Shamir: From practice to theory, part II (NIZK and correlation intractability from circular-secure FHE). Cryptology ePrint Archive, Report 2018/1248, 2018. https://eprint.iacr.org/2018/1248. Part 2 of [CCH+19].

[DNRS99] Cynthia Dwork, Moni Naor, Omer Reingold, and Larry J. Stockmeyer. Magic functions. In 40th FOCS, pages 523–534. IEEE Computer Society Press, October 1999.

[DS11] Yevgeniy Dodis and John P. Steinberger. Domain extension for MACs beyond the birthday barrier. In Kenneth G. Paterson, editor, EUROCRYPT 2011, volume 6632 of LNCS, pages 323–342. Springer, Heidelberg, May 2011.

[DW20] Dean Doron and Mary Wootters. High-probability list-recovery, and applications to heavy hitters. ECCC, 2020. https://eccc.weizmann.ac.il/report/2020/162/.

[FGJ18] Nils Fleischhacker, Vipul Goyal, and Abhishek Jain. On the existence of three round zero-knowledge proofs. In Jesper Buus Nielsen and Vincent Rijmen, editors, EURO- CRYPT 2018, Part III, volume 10822 of LNCS, pages 3–33. Springer, Heidelberg, April / May 2018.

[FLS90] Uriel Feige, Dror Lapidot, and Adi Shamir. Multiple non-interactive zero knowledge proofs based on a single random string (extended abstract). In 31st FOCS, pages 308– 317. IEEE Computer Society Press, October 1990.

[For66] G David Forney. Concatenated codes. 1966.

[FS86] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Andrew M. Odlyzko, editor, CRYPTO’86, volume 263 of LNCS, pages 186–194. Springer, Heidelberg, August 1986.

[GI01] Venkatesan Guruswami and Piotr Indyk. Expander-based constructions of efficiently decodable codes. In 42nd FOCS, pages 658–667. IEEE Computer Society Press, October 2001.

[GI02] Venkatesan Guruswami and Piotr Indyk. Near-optimal linear-time codes for unique decoding and new list-decodable codes over smaller alphabets. In 34th ACM STOC, pages 812–821. ACM Press, May 2002.

[GI03] Venkatesan Guruswami and Piotr Indyk. Linear time encodable and list decodable codes. In 35th ACM STOC, pages 126–135. ACM Press, June 2003.

[GI04] Venkatesan Guruswami and Piotr Indyk. Linear-time list decoding in error-free settings: (extended abstract). In Josep Díaz, Juhani Karhumäki, Arto Lepistö, and Donald San- nella, editors, ICALP 2004, volume 3142 of LNCS, pages 695–707. Springer, Heidelberg, July 2004.

[GJJM20] Vipul Goyal, Abhishek Jain, Zhengzhong Jin, and Giulio Malavolta. Statistical zaps and new oblivious transfer protocols. In Anne Canteaut and Yuval Ishai, editors, EURO- CRYPT 2020, Part III, volume 12107 of LNCS, pages 668–699. Springer, Heidelberg, May 2020.

43 [GK96] Oded Goldreich and Hugo Krawczyk. On the composition of zero-knowledge proof systems. SIAM Journal on Computing, 25(1):169–192, 1996.

[GK03] Shafi Goldwasser and Yael Tauman Kalai. On the (in)security of the Fiat-Shamir paradigm. In 44th FOCS, pages 102–115. IEEE Computer Society Press, October 2003.

[GKR08] Shafi Goldwasser, Yael Tauman Kalai, and Guy N. Rothblum. Delegating computation: interactive proofs for muggles. In Richard E. Ladner and Cynthia Dwork, editors, 40th ACM STOC, pages 113–122. ACM Press, May 2008.

[GMR85] Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity of interactive proof-systems (extended abstract). In 17th ACM STOC, pages 291–304. ACM Press, May 1985.

[GMW86] Oded Goldreich, Silvio Micali, and Avi Wigderson. How to prove all NP-statements in zero-knowledge, and a methodology of cryptographic protocol design. In Andrew M. Odlyzko, editor, CRYPTO’86, volume 263 of LNCS, pages 171–185. Springer, Heidel- berg, August 1986.

[GO94] Oded Goldreich and Yair Oren. Definitions and properties of zero-knowledge proof systems. Journal of Cryptology, 7(1):1–32, December 1994.

[Gol07] Oded Goldreich. Foundations of cryptography: volume 1, basic tools. Cambridge uni- versity press, 2007.

[Gol11] Oded Goldreich. A sample of samplers: A computational perspective on sampling. In Studies in Complexity and Cryptography. Miscellanea on the Interplay between Ran- domness and Computation, pages 302–332. Springer, 2011.

[GR08] Venkatesan Guruswami and Atri Rudra. Soft decoding, dual bch codes, and better list-decodable e-biased codes. In 2008 23rd Annual IEEE Conference on Computational Complexity, pages 163–174. IEEE, 2008.

[GS98] Venkatesan Guruswami and Madhu Sudan. Improved decoding of Reed-Solomon and algebraic-geometric codes. In 39th FOCS, pages 28–39. IEEE Computer Society Press, November 1998.

[GUV09] Venkatesan Guruswami, Christopher Umans, and Salil Vadhan. Unbalanced expanders and randomness extractors from parvaresh–vardy codes. Journal of the ACM (JACM), 56(4):1–34, 2009.

[GW11] Craig Gentry and Daniel Wichs. Separating succinct non-interactive arguments from all falsifiable assumptions. In Lance Fortnow and Salil P. Vadhan, editors, 43rd ACM STOC, pages 99–108. ACM Press, June 2011.

[HIOS15] Iftach Haitner, Yuval Ishai, Eran Omri, and Ronen Shaltiel. Parallel hashing via list re- coverability. In Rosario Gennaro and Matthew J. B. Robshaw, editors, CRYPTO 2015, Part II, volume 9216 of LNCS, pages 173–190. Springer, Heidelberg, August 2015.

44 [HL18] Justin Holmgren and Alex Lombardi. Cryptographic hashing from strong one-way func- tions (or: One-way product functions and their applications). In Mikkel Thorup, editor, 59th FOCS, pages 850–858. IEEE Computer Society Press, October 2018.

[HW15] Brett Hemenway and Mary Wootters. Linear-time list recovery of high-rate expander codes. In Magnús M. Halldórsson, Kazuo Iwama, Naoki Kobayashi, and Bettina Speck- mann, editors, ICALP 2015, Part I, volume 9134 of LNCS, pages 701–712. Springer, Heidelberg, July 2015.

[IKOS07] Yuval Ishai, Eyal Kushilevitz, Rafail Ostrovsky, and Amit Sahai. Zero-knowledge from secure multiparty computation. In David S. Johnson and Uriel Feige, editors, 39th ACM STOC, pages 21–30. ACM Press, June 2007.

[Ish20] Yuval Ishai. Zero-knowledge proofs from information-theoretic proof systems. 2020. https://zkproof.org/2020/08/12/information-theoretic-proof-systems/.

[IW97] Russell Impagliazzo and Avi Wigderson. P = BPP if E requires exponential circuits: Derandomizing the XOR lemma. In 29th ACM STOC, pages 220–229. ACM Press, May 1997.

[JKKZ20] Ruta Jawale, Yael Tauman Kalai, Dakshita Khurana, and Rachel Zhang. SNARGs for bounded depth computations and PPAD hardness from sub-exponential LWE. IACR Cryptol. ePrint Arch, 2020:980, 2020. To appear in STOC 2021.

[Kil92] Joe Kilian. A note on efficient zero-knowledge proofs and arguments (extended ab- stract). In 24th ACM STOC, pages 723–732. ACM Press, May 1992.

[KNY18] Ilan Komargodski, Moni Naor, and Eylon Yogev. Collision resistant hashing for para- noids: Dealing with multiple collisions. In Jesper Buus Nielsen and Vincent Rijmen, editors, EUROCRYPT 2018, Part II, volume 10821 of LNCS, pages 162–194. Springer, Heidelberg, April / May 2018.

[KRR17] Yael Tauman Kalai, Guy N. Rothblum, and Ron D. Rothblum. From obfuscation to the security of Fiat-Shamir for proofs. In Jonathan Katz and Hovav Shacham, editors, CRYPTO 2017, Part II, volume 10402 of LNCS, pages 224–251. Springer, Heidelberg, August 2017.

[LFKN90] C Lund, L Fortnow, H Karloff, and N Nisan. The polynomial-time hierarchy has inter- active proofs. Proceedings of STOC 1990, pages 2–10, 1990.

[LNPT19] Benoît Libert, Khoa Nguyen, Alain Passelègue, and Radu Titiu. Simulation-sound ar- guments for LWE and applications to KDM-CCA2 security. Cryptology ePrint Archive, Report 2019/908, 2019. https://eprint.iacr.org/2019/908.

[LNPY20] Benoît Libert, Khoa Nguyen, Thomas Peters, and Moti Yung. One-shot fiat-shamir- based nizk arguments of composite residuosity in the standard model. Cryptology ePrint Archive, Report 2020/1334, 2020. https://eprint.iacr.org/2020/1334.

45 [LV20a] Alex Lombardi and Vinod Vaikuntanathan. Fiat-shamir for repeated squaring with applications to PPAD-hardness and VDFs. In Daniele Micciancio and Thomas Risten- part, editors, CRYPTO 2020, Part III, volume 12172 of LNCS, pages 632–651. Springer, Heidelberg, August 2020.

[LV20b] Alex Lombardi and Vinod Vaikuntanathan. Multi-input correlation intractable hash functions via shift-hiding. IACR Cryptology ePrint Archive, Report 2020/1378, 2020. https://eprint.iacr.org/2020/1378.

[LVW19] Alex Lombardi, Vinod Vaikuntanathan, and Daniel Wichs. 2-message publicly verifiable WI from (subexponential) LWE. Cryptology ePrint Archive, Report 2019/808, 2019. https://eprint.iacr.org/2019/808.

[Mer88] Ralph C. Merkle. A digital signature based on a conventional encryption function. In Carl Pomerance, editor, CRYPTO’87, volume 293 of LNCS, pages 369–378. Springer, Heidelberg, August 1988.

[Mic93] Silvio Micali. Fair public-key cryptosystems. In Ernest F. Brickell, editor, CRYPTO’92, volume 740 of LNCS, pages 113–138. Springer, Heidelberg, August 1993.

[MT07] Ueli M. Maurer and Stefano Tessaro. Domain extension of public random functions: Beyond the birthday barrier. In Alfred Menezes, editor, CRYPTO 2007, volume 4622 of LNCS, pages 187–204. Springer, Heidelberg, August 2007.

[Nao03] Moni Naor. On cryptographic assumptions and challenges (invited talk). In Dan Boneh, editor, CRYPTO 2003, volume 2729 of LNCS, pages 96–109. Springer, Heidelberg, August 2003.

[NW88] Noam Nisan and Avi Wigderson. Hardness vs. randomness (extended abstract). In 29th FOCS, pages 2–11. IEEE Computer Society Press, October 1988.

[Oka93] Tatsuaki Okamoto. Provably secure and practical identification schemes and corre- sponding signature schemes. In Ernest F. Brickell, editor, CRYPTO’92, volume 740 of LNCS, pages 31–53. Springer, Heidelberg, August 1993.

[PS96] David Pointcheval and Jacques Stern. Provably secure blind signature schemes. In Kwangjo Kim and Tsutomu Matsumoto, editors, ASIACRYPT’96, volume 1163 of LNCS, pages 252–265. Springer, Heidelberg, November 1996.

[PS19] Chris Peikert and Sina Shiehian. Noninteractive zero knowledge for NP from (plain) learning with errors. In Alexandra Boldyreva and Daniele Micciancio, editors, CRYPTO 2019, Part I, volume 11692 of LNCS, pages 89–114. Springer, Heidelberg, August 2019.

[PV05] Farzad Parvaresh and Alexander Vardy. Correcting errors beyond the Guruswami-Sudan radius in polynomial time. In 46th FOCS, pages 285–294. IEEE Computer Society Press, October 2005.

[Reg03] Oded Regev. New lattice based cryptographic constructions. In 35th ACM STOC, pages 407–416. ACM Press, June 2003.

46 [RW18] Atri Rudra and Mary Wootters. Average-radius list-recoverability of random linear codes. In Artur Czumaj, editor, 29th SODA, pages 644–662. ACM-SIAM, January 2018.

[SS94] Michael Sipser and Daniel A. Spielman. Expander codes. In 35th FOCS, pages 566–576. IEEE Computer Society Press, November 1994.

[Vad12] Salil P. Vadhan. Pseudorandomness. Now Publishers Inc., 2012. https://people. seas.harvard.edu/~salil/pseudorandomness/.

47